diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index 20074881d35..da04536f9ad 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -97,93 +97,3 @@ jobs:
check-latest: true
- name: Run lint action
uses: ./.github/workflows/lint-action
- prepare_test_image_testdata:
- permissions:
- contents: read # to fetch code (actions/checkout)
- runs-on: ubuntu-latest
- steps:
- - name: Check out code
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- persist-credentials: false
- - run: scripts/build_test_images.sh
- - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
- with:
- name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }}
- path: cmd/osv-scanner/scan/image/testdata/*.tar
- retention-days: 1
- tests:
- permissions:
- contents: read # to fetch code (actions/checkout)
- needs:
- - prepare_test_image_testdata
- name: Run unit tests
- strategy:
- fail-fast: false
- matrix:
- os: [ubuntu-latest, macos-latest, windows-latest]
- runs-on: ${{ matrix.os }}
- steps:
- - name: Check out code
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- persist-credentials: false
- - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- with:
- pattern: image-testdata-${{ github.run_number }}-*
- path: cmd/osv-scanner/scan/image/testdata/
- - name: Set up Go
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
- with:
- go-version-file: "go.mod"
- check-latest: true
- - name: Run test action
- uses: ./.github/workflows/test-action
- with:
- codecov_token: ${{ secrets.CODECOV_TOKEN }}
- docker:
- permissions:
- contents: read # to fetch code (actions/checkout)
- runs-on: ubuntu-latest
- env:
- # Required for buildx on docker 19.x
- DOCKER_CLI_EXPERIMENTAL: "enabled"
- steps:
- - name: Checkout
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- fetch-depth: 0
- - name: Set up Go
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
- with:
- go-version-file: "go.mod"
- check-latest: true
- - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
- - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- - name: Run GoReleaser
- id: run-goreleaser
- uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
- with:
- distribution: goreleaser
- version: "~> v2"
- args: release --clean --snapshot
- - env:
- ARTIFACTS: ${{ steps.run-goreleaser.outputs.artifacts }}
- run: |
- echo "$ARTIFACTS" > output.json
- jq -r '.[] | select(
- .type == "Docker Image" and
- .goarch == "amd64" and
- .goos == "linux" and
- .extra.DockerConfig.dockerfile == "goreleaser.dockerfile"
- ) | .name' output.json | while read -r image; do
- echo "Testing image $image"
-
- exit_code=0
- docker run -v ${PWD}:/src $image -L /src/go.mod || exit_code=$?
-
- # fail if we get a non-zero exit code other than "vulnerabilities were found"
- if [[ $exit_code -ne 0 && $exit_code -ne 1 ]]; then
- exit $exit_code
- fi
- done
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
new file mode 100644
index 00000000000..774fb1f3426
--- /dev/null
+++ b/.github/workflows/tests.yml
@@ -0,0 +1,138 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Tests
+
+on:
+ push:
+ branches: ["main", "v1", "mcp"]
+ paths-ignore:
+ - "**/*.md"
+ - "docs/**"
+ - ".github/workflows/*"
+ - "!.github/workflows/tests.yml"
+ - "!.github/workflows/test-action/**"
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: ["main", "v1", "mcp"]
+ paths-ignore:
+ - "**/*.md"
+ - "docs/**"
+ - ".github/workflows/*"
+ - "!.github/workflows/tests.yml"
+ - "!.github/workflows/test-action/**"
+ workflow_dispatch:
+
+concurrency:
+ # Pushing new changes to a branch will cancel any in-progress CI runs
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: true
+
+# Restrict jobs in this workflow to have no permissions by default; permissions
+# should be granted per job as needed using a dedicated `permissions` block
+permissions: {}
+
+jobs:
+ prepare_test_image_testdata:
+ permissions:
+ contents: read # to fetch code (actions/checkout)
+ runs-on: ubuntu-latest
+ steps:
+ - name: Check out code
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
+ - run: scripts/build_test_images.sh
+ - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+ with:
+ name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }}
+ path: cmd/osv-scanner/scan/image/testdata/*.tar
+ retention-days: 1
+ tests:
+ permissions:
+ contents: read # to fetch code (actions/checkout)
+ needs:
+ - prepare_test_image_testdata
+ name: Run unit tests
+ strategy:
+ fail-fast: false
+ matrix:
+ os: [ubuntu-latest, macos-latest, windows-latest]
+ runs-on: ${{ matrix.os }}
+ steps:
+ - name: Check out code
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
+ - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+ with:
+ pattern: image-testdata-${{ github.run_number }}-*
+ path: cmd/osv-scanner/scan/image/testdata/
+ - name: Set up Go
+ uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+ with:
+ go-version-file: "go.mod"
+ check-latest: true
+ - name: Run test action
+ uses: ./.github/workflows/test-action
+ with:
+ codecov_token: ${{ secrets.CODECOV_TOKEN }}
+ docker:
+ permissions:
+ contents: read # to fetch code (actions/checkout)
+ runs-on: ubuntu-latest
+ env:
+ # Required for buildx on docker 19.x
+ DOCKER_CLI_EXPERIMENTAL: "enabled"
+ steps:
+ - name: Checkout
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ fetch-depth: 0
+ persist-credentials: false
+ - name: Set up Go
+ uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+ with:
+ go-version-file: "go.mod"
+ check-latest: true
+ cache: false
+ - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+ - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+ - name: Run GoReleaser
+ id: run-goreleaser
+ uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
+ with:
+ distribution: goreleaser
+ version: "~> v2"
+ args: release --clean --snapshot
+ - env:
+ ARTIFACTS: ${{ steps.run-goreleaser.outputs.artifacts }}
+ run: |
+ echo "$ARTIFACTS" > output.json
+ jq -r '.[] | select(
+ .type == "Docker Image" and
+ .goarch == "amd64" and
+ .goos == "linux" and
+ .extra.DockerConfig.dockerfile == "goreleaser.dockerfile"
+ ) | .name' output.json | while read -r image; do
+ echo "Testing image $image"
+
+ exit_code=0
+ docker run -v ${PWD}:/src $image -L /src/go.mod || exit_code=$?
+
+ # fail if we get a non-zero exit code other than "vulnerabilities were found"
+ if [[ $exit_code -ne 0 && $exit_code -ne 1 ]]; then
+ exit $exit_code
+ fi
+ done
diff --git a/cmd/osv-scanner/fix/__snapshots__/command_test.snap b/cmd/osv-scanner/fix/__snapshots__/command_test.snap
index 3dfc6598565..4b2ba0ce765 100755
--- a/cmd/osv-scanner/fix/__snapshots__/command_test.snap
+++ b/cmd/osv-scanner/fix/__snapshots__/command_test.snap
@@ -9204,7 +9204,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects
{
"name": "org.codehaus.plexus:plexus-utils",
"versionFrom": "3.0",
- "versionTo": "4.0.3",
+ "versionTo": "3.6.1",
"transitive": false
}
],
@@ -9358,7 +9358,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects
org.codehaus.plexus
plexus-utils
- 4.0.3
+ 3.6.1
@@ -9512,7 +9512,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects
Found 13 vulnerabilities matching the filter
Can fix 13/13 matching vulnerabilities by overriding 4 dependencies
OVERRIDE-PACKAGE: org.apache.httpcomponents:httpclient,4.5.13
-OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,4.0.3
+OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,3.6.1
OVERRIDE-PACKAGE: commons-io:commons-io,2.14.0
OVERRIDE-PACKAGE: org.jsoup:jsoup,1.15.3
FIXED-VULN-IDS: GHSA-2x83-r56g-cv47,GHSA-6fmv-xxpf-w3cw,GHSA-78wr-2p64-hpwj,GHSA-7r82-7xv7-xcpj,GHSA-8vhq-qq4p-grq3,GHSA-cfh5-3ghh-wfjx,GHSA-fmj5-wv96-r2ch,GHSA-g6ph-x5wf-g337,GHSA-gp7f-rwcx-9369,GHSA-gw85-4gmf-m7rh,GHSA-gwrp-pvrq-jmwv,GHSA-jcwr-x25h-x5fh,GHSA-m72m-mhq2-9p6c
@@ -9566,7 +9566,7 @@ UNFIXABLE-VULNS: 0
org.codehaus.plexus
plexus-utils
- 4.0.3
+ 3.6.1
@@ -11354,7 +11354,7 @@ Guided remediation (the fix command) can be risky when run on untrusted projects
Found 13 vulnerabilities matching the filter
Can fix 13/13 matching vulnerabilities by overriding 4 dependencies
OVERRIDE-PACKAGE: org.apache.httpcomponents:httpclient,4.5.13
-OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,4.0.3
+OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,3.6.1
OVERRIDE-PACKAGE: commons-io:commons-io,2.14.0
OVERRIDE-PACKAGE: org.jsoup:jsoup,1.15.3
FIXED-VULN-IDS: GHSA-2x83-r56g-cv47,GHSA-6fmv-xxpf-w3cw,GHSA-78wr-2p64-hpwj,GHSA-7r82-7xv7-xcpj,GHSA-8vhq-qq4p-grq3,GHSA-cfh5-3ghh-wfjx,GHSA-fmj5-wv96-r2ch,GHSA-g6ph-x5wf-g337,GHSA-gp7f-rwcx-9369,GHSA-gw85-4gmf-m7rh,GHSA-gwrp-pvrq-jmwv,GHSA-jcwr-x25h-x5fh,GHSA-m72m-mhq2-9p6c
@@ -11408,7 +11408,7 @@ UNFIXABLE-VULNS: 0
org.codehaus.plexus
plexus-utils
- 4.0.3
+ 3.6.1
diff --git a/cmd/osv-scanner/mcp/__snapshots__/integration_test.snap b/cmd/osv-scanner/mcp/__snapshots__/integration_test.snap
index 2c95059cdf7..a86e636eb93 100755
--- a/cmd/osv-scanner/mcp/__snapshots__/integration_test.snap
+++ b/cmd/osv-scanner/mcp/__snapshots__/integration_test.snap
@@ -24,7 +24,6 @@ lockfile:/testdata/go-project/go.mod: found 1 package with issues
Severity: '5.9'; Minimal Fix Version: '1.1.0';
1 known vulnerability found in lockfile:/testdata/go-project/go.mod
-Hiding 9 number of vulnerabilities deemed unimportant, use --all-vulns to show them.
-
+Hiding 15 number of vulnerabilities deemed unimportant, use --all-vulns to show them.
---
diff --git a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap
index a034f8b16e6..22ceb3c9308 100755
--- a/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap
+++ b/cmd/osv-scanner/scan/image/__snapshots__/command_test.snap
@@ -1202,6 +1202,34 @@ You can also view the full vulnerability list in your terminal with: `osv-scanne
---
+[TestCommand_OCIImage/scanning_ubuntu_image_with_homebrew_extractor - 1]
+Scanning local image tarball "./testdata/test-ubuntu-homebrew.tar"
+skipping file "home/linuxbrew/.linuxbrew/Homebrew/Library/Taps/homebrew/homebrew-core/.git/objects/pack/pack-0113dab039640255baab5438994e90f67a4c482c.pack" because its size (1155620741 bytes) is larger than the max size (1073741824 bytes)
+
+
+Container Scanning Result (Ubuntu 22.04.5 LTS):
+Total 1 package affected by 3 known vulnerabilities (1 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
+0 vulnerabilities can be fixed.
+
+
+GIT
++------------------------------------------------------------------------------------------------------------------------------------------------------+
+| Source:os:/home/linuxbrew/.linuxbrew/Cellar/cjson/1.7.17/INSTALL_RECEIPT.json |
++-------------------------------------+-------------------+------------------+------------+-------------------------+------------------+---------------+
+| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |
++-------------------------------------+-------------------+------------------+------------+-------------------------+------------------+---------------+
+| https://github.com/DaveGamble/cJSON | 1.7.17 | No fix available | 3 | | # 19 Layer | -- |
++-------------------------------------+-------------------+------------------+------------+-------------------------+------------------+---------------+
+
+For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.
+You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.
+
+---
+
+[TestCommand_OCIImage/scanning_ubuntu_image_with_homebrew_extractor - 2]
+
+---
+
[TestCommand_OCIImage_JSONFormat/Scanning_python_image_with_some_packages - 1]
{
"results": [
diff --git a/cmd/osv-scanner/scan/image/command_test.go b/cmd/osv-scanner/scan/image/command_test.go
index 63ce381cd89..1a75a044c0c 100644
--- a/cmd/osv-scanner/scan/image/command_test.go
+++ b/cmd/osv-scanner/scan/image/command_test.go
@@ -352,6 +352,17 @@ func TestCommand_OCIImage(t *testing.T) {
},
Exit: 1,
},
+ {
+ Name: "scanning_ubuntu_image_with_homebrew_extractor",
+ Args: []string{
+ "", "image",
+ "--experimental-plugins", "os/homebrew",
+ "--experimental-plugins", "misc/brew-source",
+ "--experimental-no-default-plugins",
+ "--archive", "./testdata/test-ubuntu-homebrew.tar",
+ },
+ Exit: 1,
+ },
}
for _, tt := range tests {
t.Run(tt.Name, func(t *testing.T) {
diff --git a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml
index 393ec521747..c5a3284dc9a 100644
--- a/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml
+++ b/cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml
@@ -15602,3 +15602,62 @@ interactions:
status: 200 OK
code: 200
duration: 0s
+ - request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 171
+ host: api.osv.dev
+ body: |
+ {
+ "queries": [
+ {
+ "package": {
+ "ecosystem": "GIT",
+ "name": "https://github.com/davegamble/cjson"
+ },
+ "version": "1.7.17"
+ }
+ ]
+ }
+ headers:
+ Content-Type:
+ - application/json
+ X-Test-Name:
+ - TestCommand_OCIImage/scanning_ubuntu_image_with_homebrew_extractor
+ url: https://api.osv.dev/v1/querybatch
+ method: POST
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 220
+ body: |
+ {
+ "results": [
+ {
+ "vulns": [
+ {
+ "id": "CVE-2023-53154",
+ "modified": "2026-03-14T12:23:16.581554Z"
+ },
+ {
+ "id": "CVE-2024-31755",
+ "modified": "2026-03-14T12:30:30.932017Z"
+ },
+ {
+ "id": "CVE-2025-57052",
+ "modified": "2026-03-23T05:11:28.908372Z"
+ }
+ ]
+ }
+ ]
+ }
+ headers:
+ Content-Length:
+ - "220"
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 0s
diff --git a/cmd/osv-scanner/scan/image/testdata/test-ubuntu-homebrew.Dockerfile b/cmd/osv-scanner/scan/image/testdata/test-ubuntu-homebrew.Dockerfile
new file mode 100644
index 00000000000..baa8fdda033
--- /dev/null
+++ b/cmd/osv-scanner/scan/image/testdata/test-ubuntu-homebrew.Dockerfile
@@ -0,0 +1,13 @@
+FROM ghcr.io/homebrew/ubuntu22.04:5.1.4@sha256:6b3c4bc0a7128cf5a78d2e641da6e88ac4195714e1315c4d2b522532d7fb1e7a
+
+USER linuxbrew
+WORKDIR /home/linuxbrew
+
+ENV HOMEBREW_NO_AUTO_UPDATE=1 \
+ NONINTERACTIVE=1
+
+# Install vulnerable package
+RUN brew install cjson
+
+# Make it vulnerable :)
+RUN mv .linuxbrew/Cellar/cjson/* .linuxbrew/Cellar/cjson/1.7.17
diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap
index 753171a74f8..c773f57de7a 100755
--- a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap
+++ b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap
@@ -516,9 +516,9 @@ Total 6 packages affected by 10 known vulnerabilities (2 Critical, 2 High, 2 Med
| 0BSD | Packagist | league/flysystem | 1.0.8 | testdata/locks-insecure/composer.lock |
| UNKNOWN | Go | stdlib | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json |
| UNKNOWN | Go | toolchain | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json |
-| UNKNOWN | | https://chromium.googlesource.com/chromium/src | | testdata/locks-insecure/osv-scanner-flutter-deps.json |
-| UNKNOWN | | https://github.com/brendan-duncan/archive.git | | testdata/locks-insecure/osv-scanner-flutter-deps.json |
-| UNKNOWN | | https://github.com/flutter/buildroot.git | | testdata/locks-insecure/osv-scanner-flutter-deps.json |
+| UNKNOWN | GIT | https://chromium.googlesource.com/chromium/src | | testdata/locks-insecure/osv-scanner-flutter-deps.json |
+| UNKNOWN | GIT | https://github.com/brendan-duncan/archive.git | | testdata/locks-insecure/osv-scanner-flutter-deps.json |
+| UNKNOWN | GIT | https://github.com/flutter/buildroot.git | | testdata/locks-insecure/osv-scanner-flutter-deps.json |
| 0BSD | Packagist | drupal/core | 10.4.5 | testdata/locks-many-with-insecure/composer.lock |
| 0BSD | Packagist | drupal/simple_sitemap | 4.2.1 | testdata/locks-many-with-insecure/composer.lock |
| 0BSD | Packagist | drupal/tfa | 2.0.0-alpha4 | testdata/locks-many-with-insecure/composer.lock |
@@ -897,7 +897,7 @@ Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found
Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
Filtered 10 local/unscannable package/s from the scan.
-Total 26 packages affected by 181 known vulnerabilities (20 Critical, 78 High, 56 Medium, 3 Low, 24 Unknown) from 4 ecosystems.
+Total 26 packages affected by 181 known vulnerabilities (20 Critical, 78 High, 56 Medium, 4 Low, 23 Unknown) from 4 ecosystems.
11 vulnerabilities can be fixed.
+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+
@@ -1109,7 +1109,7 @@ Total 26 packages affected by 181 known vulnerabilities (20 Critical, 78 High, 5
| https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
-| https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
@@ -1987,43 +1987,110 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi
[TestCommand_CommitSupport/offline_uses_git_tags - 1]
Scanned /testdata/locks-git/osv-scanner.json file and found 11 packages
Loaded GIT local db from /osv-scanner/GIT/all.zip
-Skipping commit scanning for: 45fda76bc1b9fd74d10e85e0ce9b65a12dcc58b0
-Total 8 packages affected by 28 known vulnerabilities (5 Critical, 5 High, 11 Medium, 0 Low, 7 Unknown) from 1 ecosystem.
+Total 8 packages affected by 96 known vulnerabilities (14 Critical, 34 High, 39 Medium, 3 Low, 6 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.
-+--------------------------------+------+-----------+----------------------------+----------------------------+---------------+-------------------------------------+
-| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |
-+--------------------------------+------+-----------+----------------------------+----------------------------+---------------+-------------------------------------+
-| https://osv.dev/OSV-2018-389 | | GIT | git://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/OSV-2018-389 | | GIT | github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/OSV-2018-389 | | GIT | http://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/OSV-2023-1161 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/OSV-2024-340 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/OSV-2018-389 | | GIT | https://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2024-51757 | 9.3 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-61927 | 7.2 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-62410 | 9.4 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-11187 | 6.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-15467 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-15468 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-15469 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-4575 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-66199 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-68160 | 4.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-69418 | 4.0 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-69419 | 7.4 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-69420 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2026-22795 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2026-22796 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2026-2673 | | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |
-+--------------------------------+------+-----------+---------------------------------------------------------+---------------+-------------------------------------+
++--------------------------------+------+-----------+----------------------------------------------+----------------+---------------+-------------------------------------+
+| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |
++--------------------------------+------+-----------+----------------------------------------------+----------------+---------------+-------------------------------------+
+| https://osv.dev/OSV-2018-389 | | GIT | git://github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/OSV-2018-389 | | GIT | github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/OSV-2018-389 | | GIT | http://github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/OSV-2023-1161 | | GIT | https://github.com/Exiv2/exiv2 | v0.28.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/OSV-2024-340 | | GIT | https://github.com/Exiv2/exiv2 | v0.28.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/OSV-2018-389 | | GIT | https://github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-51757 | 9.3 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-61927 | 7.2 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-62410 | 9.4 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2026-34226 | 7.5 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0701 | 3.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0702 | 5.1 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0703 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0704 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0705 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0797 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0798 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0799 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0800 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2105 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2106 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2107 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2108 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2109 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2176 | 8.2 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2177 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2178 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2179 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2181 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2182 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2183 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2842 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6302 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6303 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6304 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6305 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6306 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6307 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6308 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6309 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-7052 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-7053 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-7056 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-8610 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3730 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3731 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3732 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3733 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3735 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3737 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3738 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2018-0734 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2018-0735 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2018-5407 | 4.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2020-1968 | 3.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2021-23839 | 3.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2021-23841 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2021-3449 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2021-3711 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2021-3712 | 7.4 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2022-2068 | 7.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2022-2097 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-0215 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-0286 | 7.4 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-0401 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-3446 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-6129 | 6.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-6237 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-0727 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-13176 | 4.1 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-2511 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-4603 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-4741 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-5535 | 9.1 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-6119 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-11187 | 6.1 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-15467 | 8.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-15468 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-15469 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-4575 | 6.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-66199 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-68160 | 4.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-69418 | 4.0 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-69419 | 7.4 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-69420 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-69421 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2026-22795 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2026-22796 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2026-2673 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl | openssl-v0.8.1 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl | openssl-v0.8.1 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl | openssl-v0.8.1 | -- | testdata/locks-git/osv-scanner.json |
++--------------------------------+------+-----------+----------------------------------------------+----------------+---------------+-------------------------------------+
---
@@ -2035,70 +2102,153 @@ Total 8 packages affected by 28 known vulnerabilities (5 Critical, 5 High, 11 Me
Scanned /testdata/locks-git/osv-scanner.json file and found 11 packages
Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
-Total 11 packages affected by 56 known vulnerabilities (7 Critical, 12 High, 23 Medium, 7 Low, 7 Unknown) from 1 ecosystem.
+Total 9 packages affected by 140 known vulnerabilities (20 Critical, 51 High, 58 Medium, 5 Low, 6 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.
-+--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------+
-| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |
-+--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------+
-| https://osv.dev/OSV-2018-389 | | GIT | git://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/OSV-2018-389 | | GIT | github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/OSV-2018-389 | | GIT | http://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2023-44398 | 8.8 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/PYSEC-2023-233 | | | | | |
-| https://osv.dev/CVE-2024-24826 | 5.5 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2024-25112 | 5.5 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2024-39695 | 5.3 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-26623 | 5.3 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-54080 | 1.8 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-55304 | 1.8 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2026-25884 | 2.7 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2026-27596 | 2.7 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2026-27631 | 2.7 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/OSV-2023-1161 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/OSV-2024-340 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2021-22569 | 5.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2022-1941 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2022-3171 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2022-3509 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2022-3510 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2024-2410 | 9.8 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2024-7254 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/OSV-2018-389 | | GIT | https://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2024-51757 | 9.3 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-61927 | 7.2 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-62410 | 9.4 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2024-12797 | 6.3 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2024-13176 | 4.1 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-11187 | 6.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-15467 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-15468 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-15469 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-66199 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-68160 | 4.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-69418 | 4.0 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-69419 | 7.4 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-69420 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2026-22795 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2026-22796 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2026-2673 | | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2023-6180 | 5.3 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-24898 | 6.3 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-3416 | 3.7 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2023-6180 | 5.3 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |
-| https://osv.dev/CVE-2025-3416 | 3.7 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |
-+--------------------------------+------+-----------+----------------------------------------------------------+---------------+-------------------------------------+
++--------------------------------+------+-----------+----------------------------------------------+----------------+---------------+-------------------------------------+
+| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |
++--------------------------------+------+-----------+----------------------------------------------+----------------+---------------+-------------------------------------+
+| https://osv.dev/OSV-2018-389 | | GIT | git://github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/OSV-2018-389 | | GIT | github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/OSV-2018-389 | | GIT | http://github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/OSV-2023-1161 | | GIT | https://github.com/Exiv2/exiv2 | v0.28.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/OSV-2024-340 | | GIT | https://github.com/Exiv2/exiv2 | v0.28.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/OSV-2018-389 | | GIT | https://github.com/boostorg/boost | boost-1.67.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-51757 | 9.3 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-61927 | 7.2 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-62410 | 9.4 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2026-34226 | 7.5 | GIT | https://github.com/capricorn86/happy-dom.git | v11.1.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0701 | 3.7 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0702 | 5.1 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0703 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0704 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0705 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0797 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0798 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0799 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0800 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2105 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2106 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2107 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2108 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2109 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2176 | 8.2 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2177 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2178 | 5.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2179 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2181 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2182 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2842 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6302 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6303 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6304 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6305 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6306 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6307 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6308 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6309 | 9.8 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-7052 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-7053 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-7056 | 5.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-8610 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3730 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3731 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3732 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3733 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3735 | 5.3 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3737 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3738 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2018-0734 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2018-0735 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2018-5407 | 4.7 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2020-1968 | 3.7 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2021-23839 | 3.7 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2021-23841 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2021-3449 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2022-2068 | 7.3 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2022-2097 | 5.3 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-0215 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-0286 | 7.4 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-0401 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-3446 | 5.3 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-6237 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-12797 | 6.3 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-13176 | 4.1 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-2511 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-4603 | 5.3 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-4741 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-5535 | 9.1 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-4575 | 6.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2026-2673 | 7.5 | GIT | https://github.com/openssl/openssl | | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0701 | 3.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0703 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0704 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0798 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0799 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-0800 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2106 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2108 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2109 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2176 | 8.2 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2177 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2179 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2181 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2182 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-2842 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6302 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6305 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6307 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6308 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-6309 | 9.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-7053 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-7056 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-8610 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3730 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3733 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3735 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2017-3737 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2020-1968 | 3.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2022-2068 | 7.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2022-2097 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-0215 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-0286 | 7.4 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-0401 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-3446 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-6129 | 6.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-6237 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-0727 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-13176 | 4.1 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-2511 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-4603 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-4741 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-5535 | 9.1 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-6119 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-11187 | 6.1 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-15467 | 8.8 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-15468 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-15469 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-4575 | 6.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-66199 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-68160 | 4.7 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-69418 | 4.0 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-69419 | 7.4 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-69420 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-69421 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2026-22795 | 5.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2026-22796 | 5.3 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2026-2673 | 7.5 | GIT | https://github.com/openssl/openssl | openssl-3.5.0 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl | openssl-v0.8.1 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl | openssl-v0.8.1 | -- | testdata/locks-git/osv-scanner.json |
+| https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl | openssl-v0.8.1 | -- | testdata/locks-git/osv-scanner.json |
++--------------------------------+------+-----------+----------------------------------------------+----------------+---------------+-------------------------------------+
---
@@ -2156,7 +2306,7 @@ Filtered 8 vulnerabilities from output
testdata/osv-scanner-partial-ignores-config.toml has unused ignores:
- CVE-2019-5188
-Total 24 packages affected by 175 known vulnerabilities (20 Critical, 73 High, 55 Medium, 3 Low, 24 Unknown) from 4 ecosystems.
+Total 24 packages affected by 175 known vulnerabilities (20 Critical, 73 High, 55 Medium, 4 Low, 23 Unknown) from 4 ecosystems.
10 vulnerabilities can be fixed.
+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+
@@ -2360,7 +2510,7 @@ Total 24 packages affected by 175 known vulnerabilities (20 Critical, 73 High, 5
| https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
-| https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
@@ -2387,7 +2537,7 @@ Filtered 6 vulnerabilities from output
testdata/osv-scanner-partial-ignores-config.toml has unused ignores:
- CVE-2019-5188
-Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 53 Medium, 3 Low, 24 Unknown) from 3 ecosystems.
+Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 53 Medium, 4 Low, 23 Unknown) from 3 ecosystems.
10 vulnerabilities can be fixed.
+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+
@@ -2585,7 +2735,7 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5
| https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
-| https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
@@ -3149,12 +3299,12 @@ Warning: plugin transitivedependency/pomxml can be risky when run on untrusted a
Total 1 package affected by 2 known vulnerabilities (0 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.
-+--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------------------------+
-| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |
-+--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------------------------+
-| https://osv.dev/CVE-2023-39137 | 7.8 | GIT | https://github.com/brendan-duncan/archive.git@9de7a054 | -- | testdata/locks-insecure/osv-scanner-flutter-deps.json |
-| https://osv.dev/CVE-2023-39139 | 7.8 | GIT | https://github.com/brendan-duncan/archive.git@9de7a054 | -- | testdata/locks-insecure/osv-scanner-flutter-deps.json |
-+--------------------------------+------+-----------+----------------------------------------------------------+---------------+-------------------------------------------------------+
++--------------------------------+------+-----------+-----------------------------------------------+---------+---------------+-------------------------------------------------------+
+| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |
++--------------------------------+------+-----------+-----------------------------------------------+---------+---------------+-------------------------------------------------------+
+| https://osv.dev/CVE-2023-39137 | 7.8 | GIT | https://github.com/brendan-duncan/archive.git | | -- | testdata/locks-insecure/osv-scanner-flutter-deps.json |
+| https://osv.dev/CVE-2023-39139 | 7.8 | GIT | https://github.com/brendan-duncan/archive.git | | -- | testdata/locks-insecure/osv-scanner-flutter-deps.json |
++--------------------------------+------+-----------+-----------------------------------------------+---------+---------------+-------------------------------------------------------+
---
@@ -3356,7 +3506,7 @@ Warning: plugin transitivedependency/pomxml can be risky when run on untrusted a
Scanned /testdata/locks-insecure/osv-scanner-custom-git-tag.json file and found 1 package
Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
-Total 1 package affected by 40 known vulnerabilities (5 Critical, 15 High, 20 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
+Total 1 package affected by 40 known vulnerabilities (4 Critical, 16 High, 20 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.
+--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+
@@ -3393,7 +3543,7 @@ Total 1 package affected by 40 known vulnerabilities (5 Critical, 15 High, 20 Me
| https://osv.dev/CVE-2024-4741 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2024-5535 | 9.1 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
-| https://osv.dev/CVE-2025-15467 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
+| https://osv.dev/CVE-2025-15467 | 8.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2025-68160 | 4.7 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2025-69418 | 4.0 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
| https://osv.dev/CVE-2025-69419 | 7.4 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |
@@ -3410,6 +3560,68 @@ Total 1 package affected by 40 known vulnerabilities (5 Critical, 15 High, 20 Me
---
+[TestCommand_HomebrewWithAnnotators/homebrew_extractor_explicitly_enabled_with_annotator - 1]
+Scanning dir ./testdata/homebrew/Cellar/
+Scanned /testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_RECEIPT.json file and found 1 package
+Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
+
+
+Scanning Result (package view):
+Total 1 package affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 1 ecosystem.
+0 vulnerabilities can be fixed.
+
+
+GIT
++------------------------------------------------------------------------------------------------------------------+
+| Source:os:/testdata/homebrew/Cellar/libssh |
+| 2/1.11.1/INSTALL_RECEIPT.json |
++------------------------------------+-------------------+------------------+------------+-------------------------+
+| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) |
++------------------------------------+-------------------+------------------+------------+-------------------------+
+| https://github.com/libssh2/libssh2 | 1.11.1 | No fix available | 5 | |
++------------------------------------+-------------------+------------------+------------+-------------------------+
+
+For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.
+You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.
+
+---
+
+[TestCommand_HomebrewWithAnnotators/homebrew_extractor_explicitly_enabled_with_annotator - 2]
+
+---
+
+[TestCommand_HomebrewWithAnnotators/homebrew_extractor_via_artifact_plugin - 1]
+Scanning dir ./testdata/homebrew/Cellar/
+Scanned /testdata/homebrew/Cellar/libssh2/1.11.1/.brew/libssh2.rb file and found 0 packages
+Scanned /testdata/homebrew/Cellar/libssh2/1.11.1/.brew/libssh2.rb file and found 0 packages
+Scanned /testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_RECEIPT.json file and found 1 package
+Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
+
+
+Scanning Result (package view):
+Total 1 package affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 1 ecosystem.
+0 vulnerabilities can be fixed.
+
+
+GIT
++------------------------------------------------------------------------------------------------------------------+
+| Source:os:/testdata/homebrew/Cellar/libssh |
+| 2/1.11.1/INSTALL_RECEIPT.json |
++------------------------------------+-------------------+------------------+------------+-------------------------+
+| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) |
++------------------------------------+-------------------+------------------+------------+-------------------------+
+| https://github.com/libssh2/libssh2 | 1.11.1 | No fix available | 5 | |
++------------------------------------+-------------------+------------------+------------+-------------------------+
+
+For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.
+You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.
+
+---
+
+[TestCommand_HomebrewWithAnnotators/homebrew_extractor_via_artifact_plugin - 2]
+
+---
+
[TestCommand_HtmlFile - 1]
---
@@ -4611,7 +4823,7 @@ Filtered 1 local/unscannable package/s from the scan.
Loaded Debian local db from /osv-scanner/Debian/all.zip
Loaded Go local db from /osv-scanner/Go/all.zip
-Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 53 Medium, 3 Low, 24 Unknown) from 2 ecosystems.
+Total 21 packages affected by 178 known vulnerabilities (17 Critical, 71 High, 55 Medium, 5 Low, 30 Unknown) from 2 ecosystems.
11 vulnerabilities can be fixed.
+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+
@@ -4705,7 +4917,6 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5
| https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
-| https://osv.dev/DEBIAN-CVE-2017-20229 | 9.8 | Debian | mawk | 1.3.3-17+b3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
@@ -4764,6 +4975,13 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5
| https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-28386 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-28387 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-28388 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-28389 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-28390 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-31789 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-31790 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
@@ -4796,6 +5014,7 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5
| https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3755-1 | | | | | | |
+| https://osv.dev/DEBIAN-CVE-2026-5704 | 5.0 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
@@ -4811,10 +5030,12 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5
| https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
-| https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-27456 | 4.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-34743 | 1.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+
---
@@ -4830,7 +5051,7 @@ Filtered 1 local/unscannable package/s from the scan.
Loaded Debian local db from /osv-scanner/Debian/all.zip
Loaded Go local db from /osv-scanner/Go/all.zip
-Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 53 Medium, 3 Low, 24 Unknown) from 2 ecosystems.
+Total 21 packages affected by 178 known vulnerabilities (17 Critical, 71 High, 55 Medium, 5 Low, 30 Unknown) from 2 ecosystems.
11 vulnerabilities can be fixed.
+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+
@@ -4924,7 +5145,6 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5
| https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
-| https://osv.dev/DEBIAN-CVE-2017-20229 | 9.8 | Debian | mawk | 1.3.3-17+b3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
@@ -4983,6 +5203,13 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5
| https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-28386 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-28387 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-28388 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-28389 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-28390 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-31789 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-31790 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
@@ -5015,6 +5242,7 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5
| https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3755-1 | | | | | | |
+| https://osv.dev/DEBIAN-CVE-2026-5704 | 5.0 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
@@ -5030,10 +5258,12 @@ Total 22 packages affected by 169 known vulnerabilities (18 Critical, 71 High, 5
| https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
-| https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-27456 | 4.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-3184 | 3.7 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+| https://osv.dev/DEBIAN-CVE-2026-34743 | 1.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |
+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+
---
@@ -5843,8 +6073,8 @@ Total 3 packages affected by 9 known vulnerabilities (0 Critical, 3 High, 4 Medi
Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages
Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
-Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Medium, 1 Low, 1 Unknown) from 1 ecosystem.
-22 vulnerabilities can be fixed.
+Total 5 packages affected by 23 known vulnerabilities (1 Critical, 9 High, 11 Medium, 1 Low, 1 Unknown) from 1 ecosystem.
+23 vulnerabilities can be fixed.
+-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |
@@ -5864,6 +6094,7 @@ Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Me
| https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | |
| https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt |
| https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt |
+| https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4 | PyPI | requests | 2.20.0 | 2.33.0 | testdata/locks-requirements/requirements.txt |
| https://osv.dev/PYSEC-2024-60 | 7.5 | PyPI | idna | 2.7.0 | 3.7 | testdata/locks-requirements/requirements.txt |
| https://osv.dev/GHSA-jjg7-2v4v-x38h | | | | | | |
| https://osv.dev/PYSEC-2020-148 | 6.9 | PyPI | urllib3 | 1.24.3 | 1.25.9 | testdata/locks-requirements/requirements.txt |
@@ -5890,8 +6121,8 @@ Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Me
Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages
Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
-Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Medium, 1 Low, 1 Unknown) from 1 ecosystem.
-22 vulnerabilities can be fixed.
+Total 5 packages affected by 23 known vulnerabilities (1 Critical, 9 High, 11 Medium, 1 Low, 1 Unknown) from 1 ecosystem.
+23 vulnerabilities can be fixed.
+-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |
@@ -5911,6 +6142,7 @@ Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Me
| https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | |
| https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt |
| https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt |
+| https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4 | PyPI | requests | 2.20.0 | 2.33.0 | testdata/locks-requirements/requirements.txt |
| https://osv.dev/PYSEC-2024-60 | 7.5 | PyPI | idna | 2.7 | 3.7 | testdata/locks-requirements/requirements.txt |
| https://osv.dev/GHSA-jjg7-2v4v-x38h | | | | | | |
| https://osv.dev/PYSEC-2020-148 | 6.9 | PyPI | urllib3 | 1.24.3 | 1.25.9 | testdata/locks-requirements/requirements.txt |
diff --git a/cmd/osv-scanner/scan/source/command_test.go b/cmd/osv-scanner/scan/source/command_test.go
index 3febffb55d7..f5fae2b96cc 100644
--- a/cmd/osv-scanner/scan/source/command_test.go
+++ b/cmd/osv-scanner/scan/source/command_test.go
@@ -450,6 +450,38 @@ func TestCommand_JavareachArchive(t *testing.T) {
}
}
+func TestCommand_HomebrewWithAnnotators(t *testing.T) {
+ t.Parallel()
+
+ if runtime.GOOS != "darwin" {
+ testutility.Skip(t, "The detector in this test only works on Darwin")
+ }
+
+ client := testcmd.InsertCassette(t)
+
+ tests := []testcmd.Case{
+ {
+ Name: "homebrew_extractor_via_artifact_plugin",
+ Args: []string{"", "source", "-r", "--no-ignore", "--experimental-plugins=artifact", "./testdata/homebrew/Cellar/"},
+ Exit: 1,
+ },
+ {
+ Name: "homebrew_extractor_explicitly_enabled_with_annotator",
+ Args: []string{"", "source", "-r", "--no-ignore", "--experimental-plugins=os/homebrew", "--experimental-plugins=misc/brew-source", "./testdata/homebrew/Cellar/"},
+ Exit: 1,
+ },
+ }
+ for _, tt := range tests {
+ t.Run(tt.Name, func(t *testing.T) {
+ t.Parallel()
+
+ tt.HTTPClient = testcmd.WithTestNameHeader(t, *client)
+
+ testcmd.RunAndMatchSnapshots(t, tt)
+ })
+ }
+}
+
func TestCommand_ExplicitExtractors_WithDefaults(t *testing.T) {
t.Parallel()
diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml
index a418d5e6e02..ce82ef86319 100644
--- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml
+++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml
@@ -342,3 +342,710 @@ interactions:
status: 200 OK
code: 200
duration: 0s
+ - request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 1629
+ host: api.osv.dev
+ body: |
+ {
+ "queries": [
+ {
+ "package": {
+ "ecosystem": "GIT",
+ "name": "git://github.com/boostorg/boost"
+ },
+ "version": "boost-1.67.0"
+ },
+ {
+ "package": {
+ "ecosystem": "GIT",
+ "name": "github.com/boostorg/boost"
+ },
+ "version": "boost-1.67.0"
+ },
+ {
+ "package": {
+ "ecosystem": "GIT",
+ "name": "http://github.com/boostorg/boost"
+ },
+ "version": "boost-1.67.0"
+ },
+ {
+ "package": {
+ "ecosystem": "GIT",
+ "name": "https://github.com/Exiv2/exiv2"
+ },
+ "version": "v0.28.0"
+ },
+ {
+ "package": {
+ "ecosystem": "GIT",
+ "name": "https://github.com/apache/orc"
+ },
+ "version": "v3.19.0"
+ },
+ {
+ "package": {
+ "ecosystem": "GIT",
+ "name": "https://github.com/boostorg/boost"
+ },
+ "version": "boost-1.67.0"
+ },
+ {
+ "package": {
+ "ecosystem": "GIT",
+ "name": "https://github.com/capricorn86/happy-dom.git"
+ },
+ "version": "v11.1.0"
+ },
+ {
+ "commit": "45fda76bc1b9fd74d10e85e0ce9b65a12dcc58b0"
+ },
+ {
+ "package": {
+ "ecosystem": "GIT",
+ "name": "https://github.com/openssl/openssl"
+ },
+ "version": "openssl-3.5.0"
+ },
+ {
+ "package": {
+ "ecosystem": "GIT",
+ "name": "https://github.com/sfackler-fork/rust-openssl"
+ },
+ "version": "openssl-v0.10.23"
+ },
+ {
+ "package": {
+ "ecosystem": "GIT",
+ "name": "https://github.com/sfackler/rust-openssl"
+ },
+ "version": "openssl-v0.8.1"
+ }
+ ]
+ }
+ headers:
+ Content-Type:
+ - application/json
+ X-Test-Name:
+ - TestCommand_CommitSupport/online_uses_git_commits
+ url: https://api.osv.dev/v1/querybatch
+ method: POST
+ response:
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
+ content_length: 9106
+ body: |
+ {
+ "results": [
+ {
+ "vulns": [
+ {
+ "id": "OSV-2018-389",
+ "modified": "2022-04-13T03:04:40.912286Z"
+ }
+ ]
+ },
+ {
+ "vulns": [
+ {
+ "id": "OSV-2018-389",
+ "modified": "2022-04-13T03:04:40.912286Z"
+ }
+ ]
+ },
+ {
+ "vulns": [
+ {
+ "id": "OSV-2018-389",
+ "modified": "2022-04-13T03:04:40.912286Z"
+ }
+ ]
+ },
+ {
+ "vulns": [
+ {
+ "id": "OSV-2023-1161",
+ "modified": "2025-03-18T00:34:06.623648Z"
+ },
+ {
+ "id": "OSV-2024-340",
+ "modified": "2026-04-07T14:25:48.469483Z"
+ }
+ ]
+ },
+ {},
+ {
+ "vulns": [
+ {
+ "id": "OSV-2018-389",
+ "modified": "2022-04-13T03:04:40.912286Z"
+ }
+ ]
+ },
+ {
+ "vulns": [
+ {
+ "id": "CVE-2024-51757",
+ "modified": "2026-04-02T12:23:17.126382Z"
+ },
+ {
+ "id": "CVE-2025-61927",
+ "modified": "2026-04-02T12:57:34.520726Z"
+ },
+ {
+ "id": "CVE-2025-62410",
+ "modified": "2026-04-02T12:57:47.039051Z"
+ },
+ {
+ "id": "CVE-2026-34226",
+ "modified": "2026-04-02T13:29:31.439923Z"
+ }
+ ]
+ },
+ {
+ "vulns": [
+ {
+ "id": "CVE-2016-0701",
+ "modified": "2026-04-01T23:26:39.451139Z"
+ },
+ {
+ "id": "CVE-2016-0702",
+ "modified": "2026-04-01T23:28:43.662146Z"
+ },
+ {
+ "id": "CVE-2016-0703",
+ "modified": "2026-04-01T23:26:24.342221Z"
+ },
+ {
+ "id": "CVE-2016-0704",
+ "modified": "2026-04-01T23:26:24.349093Z"
+ },
+ {
+ "id": "CVE-2016-0705",
+ "modified": "2026-04-01T23:31:34.961680Z"
+ },
+ {
+ "id": "CVE-2016-0797",
+ "modified": "2026-04-01T23:30:52.947050Z"
+ },
+ {
+ "id": "CVE-2016-0798",
+ "modified": "2026-04-01T23:30:03.342358Z"
+ },
+ {
+ "id": "CVE-2016-0799",
+ "modified": "2026-04-01T23:29:08.132236Z"
+ },
+ {
+ "id": "CVE-2016-0800",
+ "modified": "2026-04-01T23:29:55.194175Z"
+ },
+ {
+ "id": "CVE-2016-2105",
+ "modified": "2026-04-01T23:36:25.755643Z"
+ },
+ {
+ "id": "CVE-2016-2106",
+ "modified": "2026-04-01T23:36:11.824548Z"
+ },
+ {
+ "id": "CVE-2016-2107",
+ "modified": "2026-04-01T23:36:25.220756Z"
+ },
+ {
+ "id": "CVE-2016-2108",
+ "modified": "2026-04-01T23:36:14.552979Z"
+ },
+ {
+ "id": "CVE-2016-2109",
+ "modified": "2026-04-01T23:36:09.516812Z"
+ },
+ {
+ "id": "CVE-2016-2176",
+ "modified": "2026-04-01T23:36:25.131388Z"
+ },
+ {
+ "id": "CVE-2016-2177",
+ "modified": "2026-04-01T23:36:20.413546Z"
+ },
+ {
+ "id": "CVE-2016-2178",
+ "modified": "2026-04-01T23:36:42.101511Z"
+ },
+ {
+ "id": "CVE-2016-2179",
+ "modified": "2026-04-01T23:36:17.896736Z"
+ },
+ {
+ "id": "CVE-2016-2181",
+ "modified": "2026-04-01T23:36:29.127761Z"
+ },
+ {
+ "id": "CVE-2016-2182",
+ "modified": "2026-04-01T23:36:30.932915Z"
+ },
+ {
+ "id": "CVE-2016-2842",
+ "modified": "2026-04-01T23:38:31.723546Z"
+ },
+ {
+ "id": "CVE-2016-6302",
+ "modified": "2026-04-01T23:53:30.080722Z"
+ },
+ {
+ "id": "CVE-2016-6303",
+ "modified": "2026-04-01T23:53:51.997796Z"
+ },
+ {
+ "id": "CVE-2016-6304",
+ "modified": "2026-04-01T23:53:59.783019Z"
+ },
+ {
+ "id": "CVE-2016-6305",
+ "modified": "2026-04-01T23:53:43.877761Z"
+ },
+ {
+ "id": "CVE-2016-6306",
+ "modified": "2026-04-01T23:53:59.210272Z"
+ },
+ {
+ "id": "CVE-2016-6307",
+ "modified": "2026-04-01T23:53:42.461031Z"
+ },
+ {
+ "id": "CVE-2016-6308",
+ "modified": "2026-04-01T23:53:26.454277Z"
+ },
+ {
+ "id": "CVE-2016-6309",
+ "modified": "2026-04-01T23:53:43.736712Z"
+ },
+ {
+ "id": "CVE-2016-7052",
+ "modified": "2026-04-01T23:54:15.873031Z"
+ },
+ {
+ "id": "CVE-2016-7053",
+ "modified": "2026-04-01T23:54:07.855301Z"
+ },
+ {
+ "id": "CVE-2016-7056",
+ "modified": "2026-04-01T23:54:13.235667Z"
+ },
+ {
+ "id": "CVE-2016-8610",
+ "modified": "2026-04-01T23:54:51.824504Z"
+ },
+ {
+ "id": "CVE-2017-3730",
+ "modified": "2026-04-02T00:11:21.102504Z"
+ },
+ {
+ "id": "CVE-2017-3731",
+ "modified": "2026-04-02T00:12:14.412340Z"
+ },
+ {
+ "id": "CVE-2017-3732",
+ "modified": "2026-04-02T00:12:12.038689Z"
+ },
+ {
+ "id": "CVE-2017-3733",
+ "modified": "2026-04-02T00:11:29.586943Z"
+ },
+ {
+ "id": "CVE-2017-3735",
+ "modified": "2026-04-02T00:11:22.330095Z"
+ },
+ {
+ "id": "CVE-2017-3737",
+ "modified": "2026-04-02T00:08:44.798469Z"
+ },
+ {
+ "id": "CVE-2017-3738",
+ "modified": "2026-04-02T00:12:13.942591Z"
+ },
+ {
+ "id": "CVE-2018-0734",
+ "modified": "2026-04-02T00:33:08.965494Z"
+ },
+ {
+ "id": "CVE-2018-0735",
+ "modified": "2026-04-02T00:38:08.341105Z"
+ },
+ {
+ "id": "CVE-2018-5407",
+ "modified": "2026-04-02T01:24:46.070208Z"
+ },
+ {
+ "id": "CVE-2020-1968",
+ "modified": "2026-04-02T04:29:27.597946Z"
+ },
+ {
+ "id": "CVE-2021-23839",
+ "modified": "2026-04-02T06:47:56.072444Z"
+ },
+ {
+ "id": "CVE-2021-23841",
+ "modified": "2026-04-02T06:48:54.684635Z"
+ },
+ {
+ "id": "CVE-2021-3449",
+ "modified": "2026-04-02T07:15:38.084873Z"
+ },
+ {
+ "id": "CVE-2022-2068",
+ "modified": "2026-04-02T07:42:19.517492Z"
+ },
+ {
+ "id": "CVE-2022-2097",
+ "modified": "2026-04-02T07:42:20.259535Z"
+ },
+ {
+ "id": "CVE-2023-0215",
+ "modified": "2026-04-02T08:32:42.981492Z"
+ },
+ {
+ "id": "CVE-2023-0286",
+ "modified": "2026-04-02T08:32:43.026586Z"
+ },
+ {
+ "id": "CVE-2023-0401",
+ "modified": "2026-04-02T08:32:29.442023Z"
+ },
+ {
+ "id": "CVE-2023-3446",
+ "modified": "2026-04-02T09:03:26.432117Z"
+ },
+ {
+ "id": "CVE-2023-6237",
+ "modified": "2026-04-02T09:48:01.881441Z"
+ },
+ {
+ "id": "CVE-2024-12797",
+ "modified": "2026-03-23T05:06:57.351567Z"
+ },
+ {
+ "id": "CVE-2024-13176",
+ "modified": "2026-04-02T09:59:53.877093Z"
+ },
+ {
+ "id": "CVE-2024-2511",
+ "modified": "2026-04-02T10:08:02.801311Z"
+ },
+ {
+ "id": "CVE-2024-4603",
+ "modified": "2026-04-02T12:21:16.410893Z"
+ },
+ {
+ "id": "CVE-2024-4741",
+ "modified": "2026-04-02T12:21:07.617700Z"
+ },
+ {
+ "id": "CVE-2024-5535",
+ "modified": "2026-04-02T12:28:22.047392Z"
+ },
+ {
+ "id": "CVE-2024-9143",
+ "modified": "2026-04-02T12:30:23.094298Z"
+ },
+ {
+ "id": "CVE-2025-4575",
+ "modified": "2026-04-02T12:48:51.065458Z"
+ },
+ {
+ "id": "CVE-2025-9230",
+ "modified": "2026-04-02T13:07:48.305234Z"
+ },
+ {
+ "id": "CVE-2025-9231",
+ "modified": "2026-04-02T13:07:41.821305Z"
+ },
+ {
+ "id": "CVE-2025-9232",
+ "modified": "2026-04-02T13:07:48.699162Z"
+ },
+ {
+ "id": "CVE-2026-2673",
+ "modified": "2026-04-02T13:20:25.921852Z"
+ }
+ ]
+ },
+ {
+ "vulns": [
+ {
+ "id": "CVE-2016-0701",
+ "modified": "2026-04-01T23:26:39.451139Z"
+ },
+ {
+ "id": "CVE-2016-0703",
+ "modified": "2026-04-01T23:26:24.342221Z"
+ },
+ {
+ "id": "CVE-2016-0704",
+ "modified": "2026-04-01T23:26:24.349093Z"
+ },
+ {
+ "id": "CVE-2016-0798",
+ "modified": "2026-04-01T23:30:03.342358Z"
+ },
+ {
+ "id": "CVE-2016-0799",
+ "modified": "2026-04-01T23:29:08.132236Z"
+ },
+ {
+ "id": "CVE-2016-0800",
+ "modified": "2026-04-01T23:29:55.194175Z"
+ },
+ {
+ "id": "CVE-2016-2106",
+ "modified": "2026-04-01T23:36:11.824548Z"
+ },
+ {
+ "id": "CVE-2016-2108",
+ "modified": "2026-04-01T23:36:14.552979Z"
+ },
+ {
+ "id": "CVE-2016-2109",
+ "modified": "2026-04-01T23:36:09.516812Z"
+ },
+ {
+ "id": "CVE-2016-2176",
+ "modified": "2026-04-01T23:36:25.131388Z"
+ },
+ {
+ "id": "CVE-2016-2177",
+ "modified": "2026-04-01T23:36:20.413546Z"
+ },
+ {
+ "id": "CVE-2016-2179",
+ "modified": "2026-04-01T23:36:17.896736Z"
+ },
+ {
+ "id": "CVE-2016-2181",
+ "modified": "2026-04-01T23:36:29.127761Z"
+ },
+ {
+ "id": "CVE-2016-2182",
+ "modified": "2026-04-01T23:36:30.932915Z"
+ },
+ {
+ "id": "CVE-2016-2842",
+ "modified": "2026-04-01T23:38:31.723546Z"
+ },
+ {
+ "id": "CVE-2016-6302",
+ "modified": "2026-04-01T23:53:30.080722Z"
+ },
+ {
+ "id": "CVE-2016-6305",
+ "modified": "2026-04-01T23:53:43.877761Z"
+ },
+ {
+ "id": "CVE-2016-6307",
+ "modified": "2026-04-01T23:53:42.461031Z"
+ },
+ {
+ "id": "CVE-2016-6308",
+ "modified": "2026-04-01T23:53:26.454277Z"
+ },
+ {
+ "id": "CVE-2016-6309",
+ "modified": "2026-04-01T23:53:43.736712Z"
+ },
+ {
+ "id": "CVE-2016-7053",
+ "modified": "2026-04-01T23:54:07.855301Z"
+ },
+ {
+ "id": "CVE-2016-7056",
+ "modified": "2026-04-01T23:54:13.235667Z"
+ },
+ {
+ "id": "CVE-2016-8610",
+ "modified": "2026-04-01T23:54:51.824504Z"
+ },
+ {
+ "id": "CVE-2017-3730",
+ "modified": "2026-04-02T00:11:21.102504Z"
+ },
+ {
+ "id": "CVE-2017-3733",
+ "modified": "2026-04-02T00:11:29.586943Z"
+ },
+ {
+ "id": "CVE-2017-3735",
+ "modified": "2026-04-02T00:11:22.330095Z"
+ },
+ {
+ "id": "CVE-2017-3737",
+ "modified": "2026-04-02T00:08:44.798469Z"
+ },
+ {
+ "id": "CVE-2020-1968",
+ "modified": "2026-04-02T04:29:27.597946Z"
+ },
+ {
+ "id": "CVE-2022-2068",
+ "modified": "2026-04-02T07:42:19.517492Z"
+ },
+ {
+ "id": "CVE-2022-2097",
+ "modified": "2026-04-02T07:42:20.259535Z"
+ },
+ {
+ "id": "CVE-2023-0215",
+ "modified": "2026-04-02T08:32:42.981492Z"
+ },
+ {
+ "id": "CVE-2023-0286",
+ "modified": "2026-04-02T08:32:43.026586Z"
+ },
+ {
+ "id": "CVE-2023-0401",
+ "modified": "2026-04-02T08:32:29.442023Z"
+ },
+ {
+ "id": "CVE-2023-3446",
+ "modified": "2026-04-02T09:03:26.432117Z"
+ },
+ {
+ "id": "CVE-2023-6129",
+ "modified": "2026-04-02T09:47:11.223590Z"
+ },
+ {
+ "id": "CVE-2023-6237",
+ "modified": "2026-04-02T09:48:01.881441Z"
+ },
+ {
+ "id": "CVE-2024-0727",
+ "modified": "2026-04-02T09:49:17.983670Z"
+ },
+ {
+ "id": "CVE-2024-13176",
+ "modified": "2026-04-02T09:59:53.877093Z"
+ },
+ {
+ "id": "CVE-2024-2511",
+ "modified": "2026-04-02T10:08:02.801311Z"
+ },
+ {
+ "id": "CVE-2024-4603",
+ "modified": "2026-04-02T12:21:16.410893Z"
+ },
+ {
+ "id": "CVE-2024-4741",
+ "modified": "2026-04-02T12:21:07.617700Z"
+ },
+ {
+ "id": "CVE-2024-5535",
+ "modified": "2026-04-02T12:28:22.047392Z"
+ },
+ {
+ "id": "CVE-2024-6119",
+ "modified": "2026-04-02T12:26:17.322430Z"
+ },
+ {
+ "id": "CVE-2024-9143",
+ "modified": "2026-04-02T12:30:23.094298Z"
+ },
+ {
+ "id": "CVE-2025-11187",
+ "modified": "2026-04-02T12:31:09.087200Z"
+ },
+ {
+ "id": "CVE-2025-15467",
+ "modified": "2026-04-02T12:34:51.332716Z"
+ },
+ {
+ "id": "CVE-2025-15468",
+ "modified": "2026-04-02T12:35:06.860135Z"
+ },
+ {
+ "id": "CVE-2025-15469",
+ "modified": "2026-03-23T05:05:23.819469Z"
+ },
+ {
+ "id": "CVE-2025-4575",
+ "modified": "2026-04-02T12:48:51.065458Z"
+ },
+ {
+ "id": "CVE-2025-66199",
+ "modified": "2026-03-23T05:00:24.564614Z"
+ },
+ {
+ "id": "CVE-2025-68160",
+ "modified": "2026-03-23T05:12:37.160955Z"
+ },
+ {
+ "id": "CVE-2025-69418",
+ "modified": "2026-04-02T13:05:42.562613Z"
+ },
+ {
+ "id": "CVE-2025-69419",
+ "modified": "2026-04-02T13:05:53.476082Z"
+ },
+ {
+ "id": "CVE-2025-69420",
+ "modified": "2026-03-23T05:13:16.365472Z"
+ },
+ {
+ "id": "CVE-2025-69421",
+ "modified": "2026-04-02T13:05:42.582269Z"
+ },
+ {
+ "id": "CVE-2025-9230",
+ "modified": "2026-04-02T13:07:48.305234Z"
+ },
+ {
+ "id": "CVE-2025-9231",
+ "modified": "2026-04-02T13:07:41.821305Z"
+ },
+ {
+ "id": "CVE-2025-9232",
+ "modified": "2026-04-02T13:07:48.699162Z"
+ },
+ {
+ "id": "CVE-2026-22795",
+ "modified": "2026-03-23T05:12:31.733749Z"
+ },
+ {
+ "id": "CVE-2026-22796",
+ "modified": "2026-04-02T13:13:17.422878Z"
+ },
+ {
+ "id": "CVE-2026-2673",
+ "modified": "2026-04-02T13:20:25.921852Z"
+ }
+ ]
+ },
+ {},
+ {
+ "vulns": [
+ {
+ "id": "CVE-2016-10931",
+ "modified": "2026-03-14T09:18:29.278606Z"
+ },
+ {
+ "id": "CVE-2018-20997",
+ "modified": "2026-03-14T09:29:08.646634Z"
+ },
+ {
+ "id": "CVE-2023-53159",
+ "modified": "2026-03-11T18:20:56.090230Z"
+ }
+ ]
+ }
+ ]
+ }
+ headers:
+ Content-Length:
+ - "9106"
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 0s
diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_HomebrewWithAnnotators.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_HomebrewWithAnnotators.yaml
new file mode 100644
index 00000000000..65aefb7a1d3
--- /dev/null
+++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_HomebrewWithAnnotators.yaml
@@ -0,0 +1,137 @@
+---
+version: 2
+interactions:
+ - request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 170
+ host: api.osv.dev
+ body: |
+ {
+ "queries": [
+ {
+ "package": {
+ "ecosystem": "GIT",
+ "name": "https://github.com/libssh2/libssh2"
+ },
+ "version": "1.11.1"
+ }
+ ]
+ }
+ headers:
+ Content-Type:
+ - application/json
+ X-Test-Name:
+ - TestCommand_HomebrewWithAnnotators/homebrew_extractor_explicitly_enabled_with_annotator
+ url: https://api.osv.dev/v1/querybatch
+ method: POST
+ response:
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
+ content_length: 337
+ body: |
+ {
+ "results": [
+ {
+ "vulns": [
+ {
+ "id": "OSV-2022-24",
+ "modified": "2025-02-01T14:16:58.476563Z"
+ },
+ {
+ "id": "OSV-2024-847",
+ "modified": "2025-02-01T14:27:03.602163Z"
+ },
+ {
+ "id": "OSV-2025-433",
+ "modified": "2025-06-05T00:02:57.200566Z"
+ },
+ {
+ "id": "OSV-2025-90",
+ "modified": "2025-12-20T14:15:39.033263Z"
+ },
+ {
+ "id": "OSV-2025-92",
+ "modified": "2025-12-20T14:25:09.128654Z"
+ }
+ ]
+ }
+ ]
+ }
+ headers:
+ Content-Length:
+ - "337"
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 0s
+ - request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 170
+ host: api.osv.dev
+ body: |
+ {
+ "queries": [
+ {
+ "package": {
+ "ecosystem": "GIT",
+ "name": "https://github.com/libssh2/libssh2"
+ },
+ "version": "1.11.1"
+ }
+ ]
+ }
+ headers:
+ Content-Type:
+ - application/json
+ X-Test-Name:
+ - TestCommand_HomebrewWithAnnotators/homebrew_extractor_via_artifact_plugin
+ url: https://api.osv.dev/v1/querybatch
+ method: POST
+ response:
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
+ content_length: 337
+ body: |
+ {
+ "results": [
+ {
+ "vulns": [
+ {
+ "id": "OSV-2022-24",
+ "modified": "2025-02-01T14:16:58.476563Z"
+ },
+ {
+ "id": "OSV-2024-847",
+ "modified": "2025-02-01T14:27:03.602163Z"
+ },
+ {
+ "id": "OSV-2025-433",
+ "modified": "2025-06-05T00:02:57.200566Z"
+ },
+ {
+ "id": "OSV-2025-90",
+ "modified": "2025-12-20T14:15:39.033263Z"
+ },
+ {
+ "id": "OSV-2025-92",
+ "modified": "2025-12-20T14:25:09.128654Z"
+ }
+ ]
+ }
+ ]
+ }
+ headers:
+ Content-Length:
+ - "337"
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 0s
diff --git a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml
index feb703f160c..1dd867a211f 100644
--- a/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml
+++ b/cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml
@@ -1632,6 +1632,163 @@ interactions:
status: 200 OK
code: 200
duration: 0s
+ - request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 997
+ host: api.osv.dev
+ body: |
+ {
+ "queries": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "click"
+ },
+ "version": "8.3.2"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "flask"
+ },
+ "version": "1.0.0"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "flask-cors"
+ },
+ "version": "1.0.0"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "itsdangerous"
+ },
+ "version": "2.2.0"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "jinja2"
+ },
+ "version": "3.1.6"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "markupsafe"
+ },
+ "version": "3.0.3"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "pandas"
+ },
+ "version": "0.23.4"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "werkzeug"
+ },
+ "version": "3.1.8"
+ }
+ ]
+ }
+ headers:
+ Content-Type:
+ - application/json
+ X-Test-Name:
+ - TestCommand_Transitive/requirements.txt_resolution_fallback
+ url: https://api.osv.dev/v1/querybatch
+ method: POST
+ response:
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
+ content_length: 880
+ body: |
+ {
+ "results": [
+ {},
+ {
+ "vulns": [
+ {
+ "id": "GHSA-68rp-wp8r-4726",
+ "modified": "2026-02-23T23:43:45.778179Z"
+ },
+ {
+ "id": "GHSA-m2qf-hxjv-5gpq",
+ "modified": "2025-02-21T05:42:17.337040Z"
+ },
+ {
+ "id": "PYSEC-2023-62",
+ "modified": "2023-11-08T04:12:28.231927Z"
+ }
+ ]
+ },
+ {
+ "vulns": [
+ {
+ "id": "GHSA-43qf-4rqw-9q2g",
+ "modified": "2026-02-04T02:30:19.251090Z"
+ },
+ {
+ "id": "GHSA-7rxf-gvfg-47g4",
+ "modified": "2026-02-04T04:27:15.173118Z"
+ },
+ {
+ "id": "GHSA-84pr-m4jr-85g5",
+ "modified": "2026-02-04T02:57:32.875272Z"
+ },
+ {
+ "id": "GHSA-8vgw-p6qm-5gr7",
+ "modified": "2026-02-04T02:42:09.564281Z"
+ },
+ {
+ "id": "GHSA-hxwh-jpp2-84pm",
+ "modified": "2026-02-04T02:15:39.891834Z"
+ },
+ {
+ "id": "GHSA-xc3p-ff3m-f46v",
+ "modified": "2024-09-20T20:01:25.449661Z"
+ },
+ {
+ "id": "PYSEC-2020-43",
+ "modified": "2025-10-09T07:22:50.566622Z"
+ },
+ {
+ "id": "PYSEC-2024-71",
+ "modified": "2025-10-09T08:27:44.186589Z"
+ }
+ ]
+ },
+ {},
+ {},
+ {},
+ {
+ "vulns": [
+ {
+ "id": "PYSEC-2020-73",
+ "modified": "2023-11-08T04:02:12.263851Z"
+ }
+ ]
+ },
+ {}
+ ]
+ }
+ headers:
+ Content-Length:
+ - "880"
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 0s
- request:
proto: HTTP/1.1
proto_major: 1
@@ -1674,14 +1831,560 @@ interactions:
"ecosystem": "PyPI",
"name": "flask"
},
- "version": "1.0.0"
+ "version": "1.0.0"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "idna"
+ },
+ "version": "2.7.0"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "itsdangerous"
+ },
+ "version": "2.2.0"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "jinja2"
+ },
+ "version": "3.1.6"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "markupsafe"
+ },
+ "version": "3.0.3"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "pytz"
+ },
+ "version": "2026.1.0.post1"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "requests"
+ },
+ "version": "2.20.0"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "urllib3"
+ },
+ "version": "1.24.3"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "werkzeug"
+ },
+ "version": "3.1.7"
+ }
+ ]
+ }
+ headers:
+ Content-Type:
+ - application/json
+ X-Test-Name:
+ - TestCommand_Transitive/requirements.txt_transitive_default
+ url: https://api.osv.dev/v1/querybatch
+ method: POST
+ response:
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
+ content_length: 2083
+ body: |
+ {
+ "results": [
+ {},
+ {},
+ {},
+ {
+ "vulns": [
+ {
+ "id": "GHSA-68w8-qjq3-2gfm",
+ "modified": "2024-09-20T15:46:52.557962Z"
+ },
+ {
+ "id": "GHSA-6w2r-r2m5-xq5w",
+ "modified": "2026-02-04T04:00:06.061990Z"
+ },
+ {
+ "id": "GHSA-7xr5-9hcq-chf9",
+ "modified": "2026-02-04T03:48:05.224740Z"
+ },
+ {
+ "id": "GHSA-8x94-hmjh-97hq",
+ "modified": "2026-02-04T02:45:55.690257Z"
+ },
+ {
+ "id": "GHSA-frmv-pr5f-9mcr",
+ "modified": "2025-11-27T09:10:30.649595Z"
+ },
+ {
+ "id": "GHSA-qw25-v68c-qjf3",
+ "modified": "2026-02-04T04:08:30.303132Z"
+ },
+ {
+ "id": "GHSA-rrqc-c2jx-6jgv",
+ "modified": "2024-10-30T19:23:59.139649Z"
+ },
+ {
+ "id": "PYSEC-2021-98",
+ "modified": "2023-12-06T01:01:16.755410Z"
+ }
+ ]
+ },
+ {
+ "vulns": [
+ {
+ "id": "GHSA-68rp-wp8r-4726",
+ "modified": "2026-02-23T23:43:45.778179Z"
+ },
+ {
+ "id": "GHSA-m2qf-hxjv-5gpq",
+ "modified": "2025-02-21T05:42:17.337040Z"
+ },
+ {
+ "id": "PYSEC-2023-62",
+ "modified": "2023-11-08T04:12:28.231927Z"
+ }
+ ]
+ },
+ {
+ "vulns": [
+ {
+ "id": "GHSA-jjg7-2v4v-x38h",
+ "modified": "2026-02-04T03:49:45.087439Z"
+ },
+ {
+ "id": "PYSEC-2024-60",
+ "modified": "2024-07-11T17:42:33.704488Z"
+ }
+ ]
+ },
+ {},
+ {},
+ {},
+ {},
+ {
+ "vulns": [
+ {
+ "id": "GHSA-9hjg-9r4m-mvj7",
+ "modified": "2026-02-04T03:44:00.676479Z"
+ },
+ {
+ "id": "GHSA-9wx4-h78v-vm56",
+ "modified": "2026-02-04T02:43:42.271895Z"
+ },
+ {
+ "id": "GHSA-j8r2-6x86-q33q",
+ "modified": "2026-02-04T03:34:13.807518Z"
+ },
+ {
+ "id": "PYSEC-2023-74",
+ "modified": "2023-11-08T04:12:35.436175Z"
+ }
+ ]
+ },
+ {
+ "vulns": [
+ {
+ "id": "GHSA-2xpw-w6gg-jr37",
+ "modified": "2026-02-04T02:36:12.983430Z"
+ },
+ {
+ "id": "GHSA-34jh-p97f-mpxf",
+ "modified": "2026-02-04T03:37:44.850742Z"
+ },
+ {
+ "id": "GHSA-38jv-5279-wg99",
+ "modified": "2026-02-04T03:51:36.162029Z"
+ },
+ {
+ "id": "GHSA-g4mx-q9vg-27p4",
+ "modified": "2026-02-04T03:30:16.767903Z"
+ },
+ {
+ "id": "GHSA-gm62-xv2j-4w53",
+ "modified": "2026-02-04T03:37:15.919661Z"
+ },
+ {
+ "id": "GHSA-pq67-6m6q-mj2v",
+ "modified": "2026-02-04T04:38:01.163387Z"
+ },
+ {
+ "id": "GHSA-v845-jxx5-vc9f",
+ "modified": "2026-02-04T02:58:30.152562Z"
+ },
+ {
+ "id": "GHSA-wqvq-5m8c-6g24",
+ "modified": "2024-11-18T22:47:07.792720Z"
+ },
+ {
+ "id": "PYSEC-2020-148",
+ "modified": "2023-11-08T04:03:14.251187Z"
+ },
+ {
+ "id": "PYSEC-2021-108",
+ "modified": "2023-11-08T04:06:04.829992Z"
+ },
+ {
+ "id": "PYSEC-2023-192",
+ "modified": "2023-11-08T04:13:33.452167Z"
+ },
+ {
+ "id": "PYSEC-2023-212",
+ "modified": "2023-11-08T04:13:39.165450Z"
+ }
+ ]
+ },
+ {}
+ ]
+ }
+ headers:
+ Content-Length:
+ - "2083"
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 0s
+ - request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 1610
+ host: api.osv.dev
+ body: |
+ {
+ "queries": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "certifi"
+ },
+ "version": "2026.2.25"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "chardet"
+ },
+ "version": "3.0.4"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "click"
+ },
+ "version": "8.3.2"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "django"
+ },
+ "version": "1.11.29"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "flask"
+ },
+ "version": "1.0.0"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "idna"
+ },
+ "version": "2.7.0"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "itsdangerous"
+ },
+ "version": "2.2.0"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "jinja2"
+ },
+ "version": "3.1.6"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "markupsafe"
+ },
+ "version": "3.0.3"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "pytz"
+ },
+ "version": "2026.1.0.post1"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "requests"
+ },
+ "version": "2.20.0"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "urllib3"
+ },
+ "version": "1.24.3"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "werkzeug"
+ },
+ "version": "3.1.8"
+ }
+ ]
+ }
+ headers:
+ Content-Type:
+ - application/json
+ X-Test-Name:
+ - TestCommand_Transitive/requirements.txt_transitive_default
+ url: https://api.osv.dev/v1/querybatch
+ method: POST
+ response:
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
+ content_length: 2153
+ body: |
+ {
+ "results": [
+ {},
+ {},
+ {},
+ {
+ "vulns": [
+ {
+ "id": "GHSA-68w8-qjq3-2gfm",
+ "modified": "2024-09-20T15:46:52.557962Z"
+ },
+ {
+ "id": "GHSA-6w2r-r2m5-xq5w",
+ "modified": "2026-02-04T04:00:06.061990Z"
+ },
+ {
+ "id": "GHSA-7xr5-9hcq-chf9",
+ "modified": "2026-02-04T03:48:05.224740Z"
+ },
+ {
+ "id": "GHSA-8x94-hmjh-97hq",
+ "modified": "2026-02-04T02:45:55.690257Z"
+ },
+ {
+ "id": "GHSA-frmv-pr5f-9mcr",
+ "modified": "2025-11-27T09:10:30.649595Z"
+ },
+ {
+ "id": "GHSA-qw25-v68c-qjf3",
+ "modified": "2026-02-04T04:08:30.303132Z"
+ },
+ {
+ "id": "GHSA-rrqc-c2jx-6jgv",
+ "modified": "2024-10-30T19:23:59.139649Z"
+ },
+ {
+ "id": "PYSEC-2021-98",
+ "modified": "2023-12-06T01:01:16.755410Z"
+ }
+ ]
+ },
+ {
+ "vulns": [
+ {
+ "id": "GHSA-68rp-wp8r-4726",
+ "modified": "2026-02-23T23:43:45.778179Z"
+ },
+ {
+ "id": "GHSA-m2qf-hxjv-5gpq",
+ "modified": "2025-02-21T05:42:17.337040Z"
+ },
+ {
+ "id": "PYSEC-2023-62",
+ "modified": "2023-11-08T04:12:28.231927Z"
+ }
+ ]
+ },
+ {
+ "vulns": [
+ {
+ "id": "GHSA-jjg7-2v4v-x38h",
+ "modified": "2026-02-04T03:49:45.087439Z"
+ },
+ {
+ "id": "PYSEC-2024-60",
+ "modified": "2024-07-11T17:42:33.704488Z"
+ }
+ ]
+ },
+ {},
+ {},
+ {},
+ {},
+ {
+ "vulns": [
+ {
+ "id": "GHSA-9hjg-9r4m-mvj7",
+ "modified": "2026-02-04T03:44:00.676479Z"
+ },
+ {
+ "id": "GHSA-9wx4-h78v-vm56",
+ "modified": "2026-02-04T02:43:42.271895Z"
+ },
+ {
+ "id": "GHSA-gc5v-m9x4-r6x2",
+ "modified": "2026-03-27T22:17:33.595885Z"
+ },
+ {
+ "id": "GHSA-j8r2-6x86-q33q",
+ "modified": "2026-02-04T03:34:13.807518Z"
+ },
+ {
+ "id": "PYSEC-2023-74",
+ "modified": "2023-11-08T04:12:35.436175Z"
+ }
+ ]
+ },
+ {
+ "vulns": [
+ {
+ "id": "GHSA-2xpw-w6gg-jr37",
+ "modified": "2026-02-04T02:36:12.983430Z"
+ },
+ {
+ "id": "GHSA-34jh-p97f-mpxf",
+ "modified": "2026-02-04T03:37:44.850742Z"
+ },
+ {
+ "id": "GHSA-38jv-5279-wg99",
+ "modified": "2026-02-04T03:51:36.162029Z"
+ },
+ {
+ "id": "GHSA-g4mx-q9vg-27p4",
+ "modified": "2026-02-04T03:30:16.767903Z"
+ },
+ {
+ "id": "GHSA-gm62-xv2j-4w53",
+ "modified": "2026-02-04T03:37:15.919661Z"
+ },
+ {
+ "id": "GHSA-pq67-6m6q-mj2v",
+ "modified": "2026-02-04T04:38:01.163387Z"
+ },
+ {
+ "id": "GHSA-v845-jxx5-vc9f",
+ "modified": "2026-02-04T02:58:30.152562Z"
+ },
+ {
+ "id": "GHSA-wqvq-5m8c-6g24",
+ "modified": "2024-11-18T22:47:07.792720Z"
+ },
+ {
+ "id": "PYSEC-2020-148",
+ "modified": "2023-11-08T04:03:14.251187Z"
+ },
+ {
+ "id": "PYSEC-2021-108",
+ "modified": "2023-11-08T04:06:04.829992Z"
+ },
+ {
+ "id": "PYSEC-2023-192",
+ "modified": "2023-11-08T04:13:33.452167Z"
+ },
+ {
+ "id": "PYSEC-2023-212",
+ "modified": "2023-11-08T04:13:39.165450Z"
+ }
+ ]
+ },
+ {}
+ ]
+ }
+ headers:
+ Content-Length:
+ - "2153"
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 0s
+ - request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 1604
+ host: api.osv.dev
+ body: |
+ {
+ "queries": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "certifi"
+ },
+ "version": "2026.2.25"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "chardet"
+ },
+ "version": "3.0.4"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "click"
+ },
+ "version": "8.3.1"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "django"
+ },
+ "version": "1.11.29"
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "flask"
+ },
+ "version": "1.0"
},
{
"package": {
"ecosystem": "PyPI",
"name": "idna"
},
- "version": "2.7.0"
+ "version": "2.7"
},
{
"package": {
@@ -1709,7 +2412,7 @@ interactions:
"ecosystem": "PyPI",
"name": "pytz"
},
- "version": "2026.1.0.post1"
+ "version": "2026.1.post1"
},
{
"package": {
@@ -1738,7 +2441,7 @@ interactions:
Content-Type:
- application/json
X-Test-Name:
- - TestCommand_Transitive/requirements.txt_transitive_default
+ - TestCommand_Transitive/requirements.txt_transitive_native_source
url: https://api.osv.dev/v1/querybatch
method: POST
response:
@@ -1931,7 +2634,7 @@ interactions:
"ecosystem": "PyPI",
"name": "click"
},
- "version": "8.3.1"
+ "version": "8.3.2"
},
{
"package": {
@@ -2001,7 +2704,7 @@ interactions:
"ecosystem": "PyPI",
"name": "werkzeug"
},
- "version": "3.1.7"
+ "version": "3.1.8"
}
]
}
@@ -2016,7 +2719,7 @@ interactions:
proto: HTTP/2.0
proto_major: 2
proto_minor: 0
- content_length: 2083
+ content_length: 2153
body: |
{
"results": [
@@ -2101,6 +2804,10 @@ interactions:
"id": "GHSA-9wx4-h78v-vm56",
"modified": "2026-02-04T02:43:42.271895Z"
},
+ {
+ "id": "GHSA-gc5v-m9x4-r6x2",
+ "modified": "2026-03-27T22:17:33.595885Z"
+ },
{
"id": "GHSA-j8r2-6x86-q33q",
"modified": "2026-02-04T03:34:13.807518Z"
@@ -2168,7 +2875,7 @@ interactions:
}
headers:
Content-Length:
- - "2083"
+ - "2153"
Content-Type:
- application/json
status: 200 OK
diff --git a/cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/.brew/libssh2.rb b/cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/.brew/libssh2.rb
new file mode 100644
index 00000000000..dfed079483c
--- /dev/null
+++ b/cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/.brew/libssh2.rb
@@ -0,0 +1,55 @@
+class Libssh2 < Formula
+ desc "C library implementing the SSH2 protocol"
+ homepage "https://libssh2.org/"
+ url "https://libssh2.org/download/libssh2-1.11.1.tar.gz"
+ mirror "https://github.com/libssh2/libssh2/releases/download/libssh2-1.11.1/libssh2-1.11.1.tar.gz"
+ mirror "http://download.openpkg.org/components/cache/libssh2/libssh2-1.11.1.tar.gz"
+ sha256 "d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7"
+ license "BSD-3-Clause"
+
+ livecheck do
+ url "https://libssh2.org/download/"
+ regex(/href=.*?libssh2[._-]v?(\d+(?:\.\d+)+)\./i)
+ end
+
+ head do
+ url "https://github.com/libssh2/libssh2.git", branch: "master"
+
+ depends_on "autoconf" => :build
+ depends_on "automake" => :build
+ depends_on "libtool" => :build
+ end
+
+ depends_on "openssl@3"
+
+ uses_from_macos "zlib"
+
+ def install
+ args = %W[
+ --disable-silent-rules
+ --disable-examples-build
+ --with-openssl
+ --with-libz
+ --with-libssl-prefix=#{Formula["openssl@3"].opt_prefix}
+ ]
+
+ system "./buildconf" if build.head?
+ system "./configure", *std_configure_args, *args
+ system "make", "install"
+ end
+
+ test do
+ (testpath/"test.c").write <<~EOS
+ #include
+
+ int main(void)
+ {
+ libssh2_exit();
+ return 0;
+ }
+ EOS
+
+ system ENV.cc, "test.c", "-L#{lib}", "-lssh2", "-o", "test"
+ system "./test"
+ end
+end
diff --git a/cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_RECEIPT.json b/cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_RECEIPT.json
new file mode 100644
index 00000000000..0e39c151ef6
--- /dev/null
+++ b/cmd/osv-scanner/scan/source/testdata/homebrew/Cellar/libssh2/1.11.1/INSTALL_RECEIPT.json
@@ -0,0 +1,57 @@
+{
+ "homebrew_version": "4.4.1-34-gaf958b2",
+ "used_options": [],
+ "unused_options": [],
+ "built_as_bottle": true,
+ "poured_from_bottle": true,
+ "loaded_from_api": true,
+ "installed_as_dependency": true,
+ "installed_on_request": false,
+ "changed_files": [
+ "NEWS",
+ "lib/pkgconfig/libssh2.pc"
+ ],
+ "time": 1765466145,
+ "source_modified_time": 1729065801,
+ "compiler": "clang",
+ "aliases": [],
+ "runtime_dependencies": [
+ {
+ "full_name": "ca-certificates",
+ "version": "2025-12-02",
+ "revision": 0,
+ "bottle_rebuild": 0,
+ "pkg_version": "2025-12-02",
+ "declared_directly": false
+ },
+ {
+ "full_name": "openssl@3",
+ "version": "3.6.0",
+ "revision": 0,
+ "bottle_rebuild": 0,
+ "pkg_version": "3.6.0",
+ "declared_directly": true
+ }
+ ],
+ "source": {
+ "spec": "stable",
+ "versions": {
+ "stable": "1.11.1",
+ "head": null,
+ "version_scheme": 0,
+ "compatibility_version": null
+ },
+ "path": "/Users/user/Library/Caches/Homebrew/api/formula.jws.json",
+ "tap_git_head": null,
+ "tap": "homebrew/core"
+ },
+ "arch": "arm64",
+ "built_on": {
+ "os": "Macintosh",
+ "os_version": "macOS 15",
+ "cpu_family": "dunno",
+ "xcode": "16.0",
+ "clt": "16.0.0.0.1.1724870825",
+ "preferred_perl": "5.34"
+ }
+}
\ No newline at end of file
diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock
index 12bdac86e67..1afc1029749 100644
--- a/docs/Gemfile.lock
+++ b/docs/Gemfile.lock
@@ -1,7 +1,7 @@
GEM
remote: https://rubygems.org/
specs:
- addressable (2.8.9)
+ addressable (2.9.0)
public_suffix (>= 2.0.2, < 8.0)
base64 (0.3.0)
bigdecimal (4.0.1)
@@ -89,7 +89,7 @@ GEM
sawyer (~> 0.9)
pathutil (0.16.2)
forwardable-extended (~> 2.6)
- public_suffix (7.0.2)
+ public_suffix (7.0.5)
rake (13.3.1)
rb-fsevent (0.11.2)
rb-inotify (0.11.1)
diff --git a/internal/clients/clientimpl/osvmatcher/osvmatcher.go b/internal/clients/clientimpl/osvmatcher/osvmatcher.go
index 0bdb82ce3bc..6ec87147c2d 100644
--- a/internal/clients/clientimpl/osvmatcher/osvmatcher.go
+++ b/internal/clients/clientimpl/osvmatcher/osvmatcher.go
@@ -4,9 +4,11 @@ import (
"context"
"errors"
"net/http"
+ "strings"
"time"
"github.com/google/osv-scalibr/extractor"
+ "github.com/google/osv-scalibr/purl"
"github.com/google/osv-scanner/v2/internal/cachedregexp"
"github.com/google/osv-scanner/v2/internal/cmdlogger"
"github.com/google/osv-scanner/v2/internal/imodels"
@@ -149,6 +151,11 @@ func pkgToQuery(pkg *extractor.Package) *api.Query {
}
}
+ // Special case for Homebrew packages with a source code repo
+ if pkg.PURL().Type == purl.TypeBrew && pkg.SourceCode != nil {
+ name = strings.ToLower(pkg.SourceCode.Repo)
+ }
+
return &api.Query{
Package: &osvschema.Package{
Name: name,
diff --git a/internal/imodels/imodels.go b/internal/imodels/imodels.go
index dea4a6f2183..d4076c83060 100644
--- a/internal/imodels/imodels.go
+++ b/internal/imodels/imodels.go
@@ -121,6 +121,12 @@ func Ecosystem(pkg *extractor.Package) osvecosystem.Parsed {
eco = newEco
}
+ // If ecosystem is empty and the source code repo is set we set the ecosystem to GIT
+ // since it's likely that the vulnerabilities will be associated with the source code repo
+ if eco.Ecosystem == "" && pkg.SourceCode != nil {
+ eco = osvecosystem.MustParse("GIT")
+ }
+
// TODO(v2): SBOM special case, to be removed after PURL to ESI conversion within each extractor is complete
if purlCache := toCachedPackageInfo(pkg); purlCache != nil {
newEco, err := osvecosystem.Parse(purlCache.Ecosystem)
diff --git a/internal/output/__snapshots__/vertical_test.snap b/internal/output/__snapshots__/vertical_test.snap
index 16927b5dbc8..073e29a636b 100755
--- a/internal/output/__snapshots__/vertical_test.snap
+++ b/internal/output/__snapshots__/vertical_test.snap
@@ -18,7 +18,6 @@ unknown:/path/to/my/third/lockfile: found 0 packages with issues
no known vulnerabilities found
no license violations found
-
---
[TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1]
@@ -52,7 +51,6 @@ unknown:/path/to/my/third/lockfile: found 0 packages with issues
1 license violation found in unknown:/path/to/my/third/lockfile
-
---
[TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1]
@@ -71,7 +69,6 @@ sbom:/path/to/my/second/lockfile: found 0 packages with issues
unknown:/path/to/my/third/lockfile: found 0 packages with issues
no known vulnerabilities found
-
---
[TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1]
@@ -113,7 +110,6 @@ sbom:/path/to/my/second/lockfile: found 0 packages with issues
1 license violation found in sbom:/path/to/my/second/lockfile
-
---
[TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1]
@@ -147,7 +143,6 @@ unknown:/path/to/my/third/lockfile: found 0 packages with issues
1 license violation found in unknown:/path/to/my/third/lockfile
-
---
[TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_no_packages - 1]
@@ -169,7 +164,6 @@ unknown:/path/to/my/third/lockfile: found 0 packages with issues
no known vulnerabilities found
no license violations found
-
---
[TestPrintVerticalResults_WithLicenseViolations/no_sources - 1]
@@ -178,7 +172,6 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi
0 vulnerabilities can be fixed.
-
---
[TestPrintVerticalResults_WithLicenseViolations/one_source_with_no_packages - 1]
@@ -192,7 +185,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues
no known vulnerabilities found
no license violations found
-
---
[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1]
@@ -206,7 +198,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues
no known vulnerabilities found
no license violations found
-
---
[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1]
@@ -220,7 +211,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues
no known vulnerabilities found
no license violations found
-
---
[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1]
@@ -234,7 +224,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues
no known vulnerabilities found
no license violations found
-
---
[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1]
@@ -252,7 +241,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues
2 license violations found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1]
@@ -270,7 +258,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues
1 license violation found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1]
@@ -288,7 +275,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues
1 license violation found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1]
@@ -306,7 +292,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues
1 license violation found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1]
@@ -324,7 +309,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues
1 license violation found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1]
@@ -346,7 +330,6 @@ sbom:/path/to/my/second/lockfile: found 0 packages with issues
no known vulnerabilities found
no license violations found
-
---
[TestPrintVerticalResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1]
@@ -382,7 +365,6 @@ Hiding 1 number of vulnerabilities deemed unimportant, use --all-vulns to show t
2 license violations found in unknown:/path/to/my/third/lockfile
-
---
[TestPrintVerticalResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1]
@@ -428,7 +410,6 @@ unknown:/path/to/my/third/lockfile: found 1 package with issues
2 license violations found in unknown:/path/to/my/third/lockfile
-
---
[TestPrintVerticalResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1]
@@ -474,7 +455,6 @@ unknown:/path/to/my/third/lockfile: found 1 package with issues
2 license violations found in unknown:/path/to/my/third/lockfile
-
---
[TestPrintVerticalResults_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1]
@@ -497,7 +477,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
1 license violation found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithMixedIssues/one_source_with_one_deprecated_package - 1]
@@ -515,7 +494,6 @@ lockfile:/path/to/lockfile: found 0 packages with issues
1 deprecated packages found:
deprecated-pkg@1.0.0
-
---
[TestPrintVerticalResults_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1]
@@ -538,7 +516,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
1 license violation found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1]
@@ -556,7 +533,6 @@ Hiding 1 number of vulnerabilities deemed unimportant, use --all-vulns to show t
1 license violation found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1]
@@ -579,7 +555,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
1 license violation found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1]
@@ -606,7 +581,6 @@ sbom:/path/to/my/second/lockfile: found 0 packages with issues
1 license violation found in sbom:/path/to/my/second/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1]
@@ -642,7 +616,6 @@ sbom:/path/to/my/second/lockfile: found 2 packages with issues
3 known vulnerabilities found in sbom:/path/to/my/second/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]
@@ -678,7 +651,6 @@ sbom:/path/to/my/second/lockfile: found 2 packages with issues
3 known vulnerabilities found in sbom:/path/to/my/second/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]
@@ -697,7 +669,6 @@ sbom:/path/to/my/second/lockfile: found 0 packages with issues
unknown:/path/to/my/third/lockfile: found 0 packages with issues
no known vulnerabilities found
-
---
[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]
@@ -731,7 +702,6 @@ unknown:/path/to/my/third/lockfile: found 1 package with issues
1 known vulnerability found in unknown:/path/to/my/third/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1]
@@ -781,7 +751,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
1 known vulnerability found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1]
@@ -835,7 +804,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
1 known vulnerability found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1]
@@ -885,7 +853,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
1 known vulnerability found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_no_packages - 1]
@@ -904,7 +871,6 @@ sbom:/path/to/my/second/lockfile: found 0 packages with issues
unknown:/path/to/my/third/lockfile: found 0 packages with issues
no known vulnerabilities found
-
---
[TestPrintVerticalResults_WithVulnerabilities/no_sources - 1]
@@ -913,7 +879,6 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi
0 vulnerabilities can be fixed.
-
---
[TestPrintVerticalResults_WithVulnerabilities/one_source_with_no_packages - 1]
@@ -926,7 +891,6 @@ Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medi
lockfile:/path/to/my/first/lockfile: found 0 packages with issues
no known vulnerabilities found
-
---
[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1]
@@ -939,7 +903,6 @@ npm
lockfile:/path/to/my/first/lockfile: found 0 packages with issues
no known vulnerabilities found
-
---
[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1]
@@ -963,7 +926,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out)
-
---
[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1]
@@ -981,7 +943,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
1 known vulnerability found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1]
@@ -999,7 +960,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
1 known vulnerability found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1]
@@ -1017,7 +977,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues
1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out)
-
---
[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1]
@@ -1035,7 +994,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
1 known vulnerability found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1]
@@ -1053,7 +1011,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
1 known vulnerability found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1]
@@ -1071,7 +1028,6 @@ lockfile:/path/to/my/first/lockfile: found 0 packages with issues
1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out)
-
---
[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1]
@@ -1089,7 +1045,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
1 known vulnerability found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1]
@@ -1107,7 +1062,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
1 known vulnerability found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1]
@@ -1125,7 +1079,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
1 known vulnerability found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1]
@@ -1143,7 +1096,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
1 known vulnerability found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1]
@@ -1164,7 +1116,6 @@ lockfile:/path/to/my/first/lockfile: found 2 packages with issues
2 known vulnerabilities found in lockfile:/path/to/my/first/lockfile
-
---
[TestPrintVerticalResults_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1]
@@ -1185,7 +1136,6 @@ lockfile:/path/to/my/first/lockfile: found 1 package with issues
sbom:/path/to/my/second/lockfile: found 0 packages with issues
no known vulnerabilities found
-
---
[TestPrintVerticalResults_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1]
@@ -1211,5 +1161,4 @@ sbom:/path/to/my/second/lockfile: found 1 package with issues
1 known vulnerability found in sbom:/path/to/my/second/lockfile
-
---
diff --git a/internal/output/githubannotation.go b/internal/output/githubannotation.go
index 44e6fe099f3..317a4d2d6f1 100644
--- a/internal/output/githubannotation.go
+++ b/internal/output/githubannotation.go
@@ -79,12 +79,20 @@ func PrintGHAnnotationReport(vulnResult *models.VulnerabilityResults, outputWrit
artifactPath = filepath.ToSlash(artifactPath)
+ // Sanitize artifactPath to prevent GitHub Actions workflow command injection.
+ // \r and \n in the file= parameter can terminate the annotation early and inject
+ // arbitrary workflow commands (e.g. ::warning::, ::add-mask::) into the runner output.
+ artifactPath = strings.ReplaceAll(artifactPath, "\r", "%0D")
+ artifactPath = strings.ReplaceAll(artifactPath, "\n", "%0A")
+
remediationTable, hasVulnTable := createSourceRemediationTable(source, groupedFixedVersions)
if hasVulnTable {
renderedTable := remediationTable.Render()
// This is required as github action annotations must be on the same terminal line
// so we URL encode the new line character
renderedTable = strings.ReplaceAll(renderedTable, "\n", "%0A")
+ // Sanitize \r to prevent workflow command injection via carriage return in package names
+ renderedTable = strings.ReplaceAll(renderedTable, "\r", "%0D")
// Prepend the table with a new line to look nicer in the output
fmt.Fprintf(outputWriter, "::error file=%s::%s%s", artifactPath, artifactPath, "%0A"+renderedTable)
@@ -95,6 +103,8 @@ func PrintGHAnnotationReport(vulnResult *models.VulnerabilityResults, outputWrit
if hasDeprecationTable {
renderedDeprecationTable := deprecationTable.Render()
renderedDeprecationTable = strings.ReplaceAll(renderedDeprecationTable, "\n", "%0A")
+ // Sanitize \r to prevent workflow command injection via carriage return in package names
+ renderedDeprecationTable = strings.ReplaceAll(renderedDeprecationTable, "\r", "%0D")
fmt.Fprintf(outputWriter, "::error file=%s::%s%s", artifactPath, artifactPath, "%0A"+renderedDeprecationTable)
}
}
diff --git a/internal/output/githubannotation_test.go b/internal/output/githubannotation_test.go
index a8c6c1773b8..d436c22c419 100644
--- a/internal/output/githubannotation_test.go
+++ b/internal/output/githubannotation_test.go
@@ -2,10 +2,12 @@ package output_test
import (
"bytes"
+ "strings"
"testing"
"github.com/google/osv-scanner/v2/internal/output"
"github.com/google/osv-scanner/v2/internal/testutility"
+ "github.com/google/osv-scanner/v2/pkg/models"
)
func TestPrintGHAnnotationReport_WithVulnerabilities(t *testing.T) {
@@ -58,3 +60,57 @@ func TestPrintGHAnnotationReport_WithMixedIssues(t *testing.T) {
testutility.NewSnapshot().MatchText(t, outputWriter.String())
})
}
+
+// TestPrintGHAnnotationReport_CRSanitization verifies that carriage return characters
+// in package paths and names are URL-encoded as %0D rather than emitted raw.
+// Raw \r in GitHub Actions annotation output is treated as a line boundary by the
+// runner, enabling workflow command injection (e.g. ::warning::, ::add-mask::).
+func TestPrintGHAnnotationReport_CRSanitization(t *testing.T) {
+ t.Parallel()
+
+ // Construct a VulnerabilityResults with \r embedded in the source path,
+ // simulating a crafted file path that could be used for command injection.
+ vulnResult := &models.VulnerabilityResults{
+ Results: []models.PackageSource{
+ {
+ Source: models.SourceInfo{
+ Path: "legitimate-scan\r::warning::INJECTED/package-lock.json",
+ Type: "lockfile",
+ },
+ Packages: []models.PackageVulns{
+ {
+ Package: models.PackageInfo{
+ Name: "lodash",
+ Version: "4.17.20",
+ Ecosystem: "npm",
+ },
+ Groups: []models.GroupInfo{
+ {
+ IDs: []string{"GHSA-35jh-r3h4-6jhm"},
+ MaxSeverity: "7.2",
+ },
+ },
+ },
+ },
+ },
+ },
+ }
+
+ outputWriter := &bytes.Buffer{}
+ err := output.PrintGHAnnotationReport(vulnResult, outputWriter)
+ if err != nil {
+ t.Errorf("Error writing GH annotation output: %s", err)
+ }
+
+ result := outputWriter.String()
+
+ // The output must not contain a raw carriage return — it must be encoded as %0D.
+ if strings.Contains(result, "\r") {
+ t.Errorf("GH annotation output contains raw \\r character, which enables workflow command injection.\nOutput: %q", result)
+ }
+
+ // The encoded form must be present instead.
+ if !strings.Contains(result, "%0D") {
+ t.Errorf("GH annotation output does not contain %%0D encoding for \\r character.\nOutput: %q", result)
+ }
+}
diff --git a/internal/output/vertical.go b/internal/output/vertical.go
index 7bb232c5e3a..4286a493cee 100644
--- a/internal/output/vertical.go
+++ b/internal/output/vertical.go
@@ -51,7 +51,7 @@ func PrintVerticalResults(vulnResult *models.VulnerabilityResults, outputWriter
}
}
- fmt.Fprintln(outputWriter)
+ fmt.Fprint(outputWriter)
}
func printVerticalLicenseSummary(licenseSummary LicenseSummary, out io.Writer) {
diff --git a/internal/scalibrplugin/__snapshots__/resolve_test.snap b/internal/scalibrplugin/__snapshots__/resolve_test.snap
index 52d89aa2114..78775b5c3d1 100755
--- a/internal/scalibrplugin/__snapshots__/resolve_test.snap
+++ b/internal/scalibrplugin/__snapshots__/resolve_test.snap
@@ -30,8 +30,10 @@ javascript/packagelockjson
javascript/pnpmlock
javascript/yarnlock
license/depsdev
+misc/brew-source
os/apk
os/dpkg
+os/homebrew
osv/osvscannerjson
php/composerlock
python/pdmlock
@@ -65,8 +67,10 @@ baseimage
go/binary
java/archive
javascript/nodemodules
+misc/brew-source
os/apk
os/dpkg
+os/homebrew
python/wheelegg
rust/cargoauditable
vex/os-duplicate/apk
@@ -102,8 +106,10 @@ baseimage
go/binary
java/archive
javascript/nodemodules
+misc/brew-source
os/apk
os/dpkg
+os/homebrew
python/wheelegg
rust/cargoauditable
vex/os-duplicate/apk
@@ -128,8 +134,10 @@ baseimage
go/binary
java/archive
javascript/nodemodules
+misc/brew-source
os/apk
os/dpkg
+os/homebrew
python/wheelegg
rust/cargoauditable
vex/os-duplicate/apk
diff --git a/internal/scalibrplugin/presets.go b/internal/scalibrplugin/presets.go
index fa757147eab..c4194ed96da 100644
--- a/internal/scalibrplugin/presets.go
+++ b/internal/scalibrplugin/presets.go
@@ -4,6 +4,7 @@ import (
"fmt"
annotatorlist "github.com/google/osv-scalibr/annotator/list"
+ "github.com/google/osv-scalibr/annotator/misc/brewsource"
apkanno "github.com/google/osv-scalibr/annotator/osduplicate/apk"
dpkganno "github.com/google/osv-scalibr/annotator/osduplicate/dpkg"
cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto"
@@ -46,6 +47,7 @@ import (
extractors "github.com/google/osv-scalibr/extractor/filesystem/list"
"github.com/google/osv-scalibr/extractor/filesystem/os/apk"
"github.com/google/osv-scalibr/extractor/filesystem/os/dpkg"
+ "github.com/google/osv-scalibr/extractor/filesystem/os/homebrew"
"github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx"
"github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx"
"github.com/google/osv-scanner/v2/internal/datasource"
@@ -153,6 +155,8 @@ var ExtractorPresets = map[string]extractors.InitMap{
apk.Name: {apk.New},
// Debian
dpkg.Name: {dpkg.New},
+ // Homebrew
+ homebrew.Name: {homebrew.New},
},
}
@@ -170,8 +174,9 @@ var enricherPresets = map[string]enricherlist.InitMap{
var annotatorPresets = map[string]annotatorlist.InitMap{
"artifact": {
- apkanno.Name: {apkanno.New},
- dpkganno.Name: {dpkganno.New},
+ apkanno.Name: {apkanno.New},
+ dpkganno.Name: {dpkganno.New},
+ brewsource.Name: {brewsource.New},
},
}
diff --git a/internal/scalibrplugin/resolve_test.go b/internal/scalibrplugin/resolve_test.go
index 55abea2507b..169b9b83150 100644
--- a/internal/scalibrplugin/resolve_test.go
+++ b/internal/scalibrplugin/resolve_test.go
@@ -6,6 +6,7 @@ import (
"testing"
"github.com/google/go-cmp/cmp"
+ "github.com/google/osv-scalibr/annotator/misc/brewsource"
apkanno "github.com/google/osv-scalibr/annotator/osduplicate/apk"
dpkganno "github.com/google/osv-scalibr/annotator/osduplicate/dpkg"
cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto"
@@ -29,6 +30,7 @@ import (
chromeextensions "github.com/google/osv-scalibr/extractor/filesystem/misc/chrome/extensions"
"github.com/google/osv-scalibr/extractor/filesystem/os/apk"
"github.com/google/osv-scalibr/extractor/filesystem/os/dpkg"
+ "github.com/google/osv-scalibr/extractor/filesystem/os/homebrew"
"github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx"
"github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx"
"github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored"
@@ -516,11 +518,13 @@ func TestResolve_Extractors(t *testing.T) {
baseimage.Name,
cargoauditable.Name,
dpkg.Name,
+ homebrew.Name,
gobinary.Name,
nodemodules.Name,
wheelegg.Name,
apkanno.Name,
dpkganno.Name,
+ brewsource.Name,
},
},
{
@@ -535,11 +539,13 @@ func TestResolve_Extractors(t *testing.T) {
baseimage.Name,
cargoauditable.Name,
dpkg.Name,
+ homebrew.Name,
gobinary.Name,
nodemodules.Name,
wheelegg.Name,
apkanno.Name,
dpkganno.Name,
+ brewsource.Name,
},
},
{
@@ -561,9 +567,11 @@ func TestResolve_Extractors(t *testing.T) {
baseimage.Name,
dpkg.Name,
gobinary.Name,
+ homebrew.Name,
nodemodules.Name,
apkanno.Name,
dpkganno.Name,
+ brewsource.Name,
},
},
//
@@ -579,6 +587,7 @@ func TestResolve_Extractors(t *testing.T) {
baseimage.Name,
cargoauditable.Name,
dpkg.Name,
+ homebrew.Name,
gitrepo.Name,
gobinary.Name,
nodemodules.Name,
@@ -586,6 +595,7 @@ func TestResolve_Extractors(t *testing.T) {
wheelegg.Name,
apkanno.Name,
dpkganno.Name,
+ brewsource.Name,
},
},
//
diff --git a/internal/utility/vulns/vulnerability.go b/internal/utility/vulns/vulnerability.go
index 58c3d320a42..590c0a19f40 100644
--- a/internal/utility/vulns/vulnerability.go
+++ b/internal/utility/vulns/vulnerability.go
@@ -132,9 +132,10 @@ func hasGitRangeForRepo(affected *osvschema.Affected, repo string) bool {
func IsAffected(v *osvschema.Vulnerability, pkg *extractor.Package) bool {
for _, affected := range v.GetAffected() {
+ pkgEcosystem := imodels.Ecosystem(pkg)
// assume we're dealing with a git-source package whose name is the git repository, and that the version is the tag
// the underlying commit has been resolved to (somehow), meaning we can check if it's in the versions listed by the advisory
- if imodels.Ecosystem(pkg).IsEmpty() && imodels.Commit(pkg) != "" && imodels.Version(pkg) != "" {
+ if (pkgEcosystem.IsEmpty() || pkgEcosystem.Ecosystem == "GIT") && imodels.Commit(pkg) != "" && imodels.Version(pkg) != "" {
if hasGitRangeForRepo(affected, imodels.Name(pkg)) && slices.Contains(affected.GetVersions(), imodels.Version(pkg)) {
return true
}
diff --git a/pkg/osvscanner/__snapshots__/osvscanner_test.snap b/pkg/osvscanner/__snapshots__/osvscanner_test.snap
index 8e3a00fd192..0d955fb3748 100755
--- a/pkg/osvscanner/__snapshots__/osvscanner_test.snap
+++ b/pkg/osvscanner/__snapshots__/osvscanner_test.snap
@@ -12,7 +12,7 @@
"package": {
"name": "",
"version": "",
- "ecosystem": "",
+ "ecosystem": "GIT",
"commit": "33dffa3909a67e1b5d22647128ab7eb6e53fd0c7"
},
"groups": [
diff --git a/renovate.json b/renovate.json
index e43220beffc..15a9f46ad48 100644
--- a/renovate.json
+++ b/renovate.json
@@ -6,6 +6,7 @@
"labels": ["dependencies"],
"postUpdateOptions": ["gomodTidy"],
"osvVulnerabilityAlerts": true,
+ "minimumReleaseAge": "7 days",
"lockFileMaintenance": {
"enabled": true
},